I did not find any public reports of the downloader svchostc.exe (1d47bd7706b2032aa41257c92cb0e3b1), and even though the sample is classified as malicious by many AV products, they only give it generic names. While trying to find other samples, I stumbled upon this executable:

The version of the miner is saved as a filename in the directory CSIDL_LOCAL_APPDATA\svchostc, for example in C:\Users\User\AppData\Local\svchostc. The filename has the format wincache, where is the version number (as an integer). An example of such a file can be seen in the aforementioned GitHub repository with artifacts:

The DGA of a Monero Miner Downloader

The Tor-based downloader comes with Tor version 0.3.3.7, which it installs to %LOCALAPPDATA%\Temp\. It then tries to contact over Proxy 127.0.0.1:9050 to see if Tor is running. Otherwise it will try to reinstall the software until the connection to Google over Tor succeeds.

An advertising network is hiding in-browser cryptocurrency miners (cryptojacking scripts) in the ads it serves on customer sites, and has been doing so since December 2017, according to revelations made over the weekend by the Qihoo 360 Netlab team.

Most of the ads served by this ad network are found on sites that offer free downloads or adult content. This is no surprise as Netlab previously discovered that almost half of all cryptojacking scripts (in-browser Monero miners) are deployed on porn sites.

The Kingminer botnet uses two main approaches in hosting the delivered content. The first one relies on servers that the criminals registered and manage themselves, usually using a simple time-coded domain name generation algorithm (DGA). These servers deliver the components with clearly malicious content.

For the not-so-obviously malicious things, the operators use public repositories provided by Github. This is where they store files like the xmrig miner payloads, reflective loader scripts, or the Mimikatz password stealer. These components are not necessarily malicious by themselves, but the context in which they are used (installed without user consent, by infecting the target computers) was clearly malicious.

Recently we have seen signs that the operators of the Kingminer botnet started experimenting with an EternalBlue spreader. We have witnessed this script being delivered to the infected systems but have not observed a successful infection as a result of the exploitation.

The primary payload and the most important component of the botnet is obviously the cryptominer program. In all of the identified cases, this was a variant of the public domain xmrig miner.

The miners are compiled into DLLs, the loader code locates the export named a and executes it. This is an unusual design; In other attacks of this type, the miners are compiled into standalone executables.

Interestingly, in addition to this main export, the miners also have the same SetDesktopMonitorHook and ClearDesktopMonitorHook as the side-loader DLLs, and both functions call the main exported function a.

Kingminer is one of the many medium-sized criminal enterprises who are more creative than the groups who simply use builders purchased from underground marketplaces. The threat actors behind Kingminer build their own solutions. In that, they are cost-effective, adopting open source solutions available in public code repositories.

As long as the sources of new tools and exploits are published, groups like Kingminer can and will continue to implement them into their arsenal, accelerating the adoption of the exploits and exploit techniques in the lower level tiers of criminality.

Core: just a reminder that there are breaking changes to 0.8.8 to prevent a transaction dust attack on the block reward. Because of the block reward penalty, it was previously possible to constantly reduce the block reward down to nearly zero, which is what has been fixed. You can see this quite dramatically on the Block Reward chart on monerochain.info where our average block reward plummeted by around 13% on May 25 - 27 as the fix was tested, deployed, and miners began adopting it. Please don't forget that simplewallet using the older code will not add the correct transaction fees, causing transactions to sit in the mempool for several days before being rejected.

Crypto: DGA has done an incredible job of optimising the PoW hashing code, and has vastly improved the speed at which it operates. This makes syncing the blockchain faster, as well as improves the speed at which miners can run and pools can verify work.

Mining: Wolf has worked hard on optimising and tweaking LucasJones miner. If you are mining, it is strongly suggested you give Wolf's fork of cpuminer-multi a spin. Because it takes advantage of AES-NI you may find that reducing the number of threads down to around half of the number of cores in your computer is the most efficient.

In 2019 Phorpiex started utilizing an XMRIG miner to monetize the hosts with Monero. This module is included in almost all bot installations at the time of infection and communicates primarily over port 5555. This behavior might be coupled with other malware, but in this instance, it is associated with the masqueraded system process used by the rest of the Phorpiex implant (i.e., SVCHOST.exe or LSASS.exe).

The miner is downloaded as a module masquerading as WINSYSDRV.exe It stores its configuration locally and checks it periodically. The miner does this from additional masqueraded system processes injected into legitimate processes to read its configuration and to mine.

Microsoft 365 Defender leverages the capabilities and signals from the Microsoft 365 security portfolio to correlate threat data from endpoints, email and data, identities, and cloud apps to provide comprehensive protection against threats. Microsoft Defender for Endpoint detects and blocks malware, other malicious artifacts, and malicious behavior associated with botnet activity, as well as the deployment of secondary payloads like cryptocurrency miners and ransomware. Features like attack surface reduction, tamper protection, and security controls for removable media further help prevent these attacks and harden networks against threats in general. Microsoft Defender for Office 365 detects the malicious attachments and URLs in emails generated by the mailing operations of the Phorpiex botnet.

The operators behind the Kingminer botnet have recently started targeting vulnerable Microsoft SQL Server databases using brute-force methods in order to mine cryptocurrency, according to research released this week from security firm Sophos.

The Kingminer botnet, which has been active since 2018, is also now targeting unpatched SQL Server databases in an effort to exploit both the BlueKeep and EternalBlue vulnerabilities, according to Sophos.

In addition to exploiting known vulnerabilities, the operators behind the botnet are using malware such as the Gh0st remote access Trojan, the Gates backdoor and the Mimikatz password stealer in order to infect the SQL Server databases and inject the cryptominer, the report notes.

Once a SQL Server database is infected, the botnet installs a cryptominer called XMRig that mines for monero cryptocurrency, according to the report written by Sophos researchers Gabor Szappanos and Vikas Singh.

It is unclear how many systems this botnet has infected. Because of the malware's use of publicly available exploitation tools, the researchers believe that the Kingminer operators are likely to expand the size of their operation.

"Kingminer is one of the many medium-sized criminal enterprises who are more creative than the groups who simply use builders purchased from underground marketplaces," the report says. "As long as the sources of new tools and exploits are published, groups like Kingminer can and will continue to implement them into their arsenal, accelerating the adoption of the exploits and exploit techniques in the lower level tiers of criminality."

Kingminer botnet establishes an initial foothold in a SQL Server database using brute-force methods to guess the right combination of username and password, according to Sophos. The botnet then downloads various malware components from two separate servers controlled by its operators.

The first is a domain generation algorithm server, essentially a command and control server, that delivers the malicious content. The second is a public GitHub repository that hosts non-malicious tools such as the XMRig miner, reflective loader scripts and the Mimikatz password stealer, the report says.

"The EternalBlue exploitation by Kingminer is still in early stage, and we have not seen successful infections with it," Szappanos tells Information Security Media Group. "It is not unusual to use this exploit. Just like in the case of SQL attacks, once the tools become available, criminal groups happily take it and use it."

The Sophos researchers also found that Kingminer will look to see if the infected SQL Server is vulnerable to the BlueKeep vulnerability. If it is, the operators will attempt to disable the remote desktop protocol access to prevent other cybercriminals and botnets from exploiting the same vulnerability.

Type of infection if the device is in Infected status ['android_spams', 'android.bakdoor.prizmes', 'android.bankbot', 'android.banker.anubis', 'android.bankspy', 'android.cliaid', 'android.darksilent', 'android.fakeav', 'android.fakebank', 'android.fakedoc', 'android.fakeinst', 'android.fakemart', 'android.faketoken', 'android.fobus', 'android.fungram', 'android.geost', 'android.gopl', 'android.hiddad', 'android.hqwar', 'android.hummer', 'android.infosteal', 'android.iop', 'android.lockdroid', 'android.milipnot', 'android.nitmo', 'android.opfake', 'android.premiumtext', 'android.provar', 'android.pwstealer', 'android.rootnik', 'android.skyfin', 'android.smsbot', 'android.smssilence', 'android.smsspy', 'android.smsspy.be24', 'android.sssaaa', 'android.teleplus', 'android.uupay', 'android.voxv', 'avalanche-andromeda', 'banatrix', 'bankpatch', 'bebloh', 'bedep', 'betabot', 'bitcoinminer', 'blackbeard', 'blakamba', 'boinberg', 'buhtrap', 'caphaw', 'carberp', 'chafer', 'changeup', 'chinad', 'citadel', 'cobint', 'coinminer', 'conficker', 'cryptowall', 'cutwail', 'cycbot', 'diaminer', 'dimnie', 'dipverdle', 'dircrypt', 'dirtjumper', 'disorderstatus', 'dmsniff', 'dofoil', 'domreg', 'dorkbot', 'dorkbot-ssl', 'dresscode', 'dybalom', 'ek.fallout', 'emoted', 'emotet', 'esfury', 'expiro', 'exploitkit.fallout', 'extenbro', 'fake_cs_updater', 'fakerean', 'fallout.exploitkit', 'fast-flux', 'fast-flux-double', 'fast-flux;fast-flux-double', 'fleercivet', 'fobber', 'foxbantrix', 'foxbantrix-unknown', 'generic.malware', 'geodo', 'gonderici', 'gootkit', 'gozi', 'gspy', 'gtfobot', 'hancitor', 'harnig', 'htm5player.vast', 'ibanking', 'icedid', 'infected', 'iotreaper', 'ip-spoofer', 'ircbot', 'isfb', 'jadtre', 'jdk-update-apt', 'js.worm.bondat', 'junk-domains', 'kasidet', 'kbot', 'kelihos', 'kelihos.e', 'keylogger', 'keylogger-ftp', 'keylogger-vbklip', 'kidminer', 'kingminer', 'koobface', 'kraken', 'kronos', 'kwampirs', 'lethic', 'linux.backdoor.setag', 'linux.ngioweb', 'litemanager', 'loader', 'locky', 'loki', 'lokibot', 'luminositylink', 'lurkbanker', 'madominer', 'magecart', 'maliciouswebsites', 'malvertising.doubleclick', 'malwaretom', 'marcher', 'matrix', 'matsnu', 'menupass', 'mewsspy', 'miner.monero', 'minr', 'mirai', 'mix2', 'mkero', 'monero', 'mozi', 'muddywater', 'murofet', 'mysafeproxymonitor', 'nametrick', 'necurs', 'netsupport', 'nettraveler', 'neurevt', 'nitol', 'nivdort', 'nukebot', 'null', 'nymaim', 'nymain', 'osx.fakeflash', 'palevo', 'pawnstorm', 'phishing', 'phishing.cobalt', 'phishing.cobalt_dickens', 'phorpiex', 'pitou', 'plasma-tomas', 'ponmocup', 'pony', 'poseidon', 'powerstats', 'proxyback', 'pushdo', 'pws.pony', 'pykspa', 'qadars', 'qakbot', 'qqblack', 'qrypter.rat', 'qsnatch', 'racoon', 'ramdo', 'ramnit', 'ranbyus', 'ransom.cerber', 'ransomware', 'ransomware.shade', 'rat.vermin', 'renocide', 'revil', 'rodecap', 'sality', 'sality-p2p', 'servhelper', 'sgminer', 'shifu', 'shiz', 'sinowal', 'sisron', 'sodinokibi', 'spam', 'sphinx', 'spyeye', 'ssh-brute-force', 'ssl', 'ssl-az7', 'ssl-unknown-bot-test', 'ssl-vmzeus', 'stantinko', 'tdss', 'teleru', 'telnet-brute-force', 'tinba', 'tinba-dga', 'trickbot', 'triton', 'trojan.click3', 'trojan.fakeav', 'trojan.includer', 'trojan.win32.razy.gen', 'unknown', 'unknown-bot-test', 'valak', 'vawtrak', 'vbklip', 'verst', 'victorygate.a', 'victorygate.b', 'victorygate.c', 'virut', 'vmzeus', 'vobfus', 'volatile_cedar', 'vpnfilter_stage3', 'wannacrypt', 'wauchos', 'webminer.cdn', 'win.neurevt', 'worm.kasidet', 'worm.phorpiex', 'wowlik', 'wrokni', 'xbash', 'xmrminer', 'xpaj', 'xshellghost', 'yoddos', 'zeus', 'zeus_gameover', 'zeus_panda', 'zloader'] 2ff7e9595c