In a research document issued on Thursday, two scientists from the Check Point Software Technologies cybersecurity firm mentioned that the KingMiner virus designed for mining Monero first appeared half-a-year ago, but now it is changing to hide from being detected. The malware even replaces its older versions when it faces them on host computers.
What the researchers say
As per the experts of the company, the mining virus keeps adding extra features and tools for evading emulation. The malware mostly manipulates files and brings to existence dependency, which is critical when it comes to emulation. This makes anti-virus software detect KingMiner at rates that are quite reduced compared to the real ones.
How KingMiner works
The virus in question attacks servers of Microsoft (mainly IIS/SQL). The malware configuration allows it to use 75 percent of the attacked PC for XMR mining, but in reality it uses the whole 100 percent of the CPU on the attacked machine.
KingMiner also utilized private mining pools to keep its own operation secret and to avoid being found. As per the scientists, the malware is presently spread from Israel to India, Scandinavia, and Mexico.
The experts at Check Point Software Technologies reckon that the malware still succeeds thanks to these constant changes in its structure and code. They believe this virus will keep developing itself next year as well and will become more popular, with other mining malware copying some of its elements.