Cyber security firm Check Point Research has found that the KingMiner cryptojacker targeting cryptocurrency Monero (XMR) is “evolving,” according to a company’s blog post published Nov. 30.

KingMiner was purportedly firstly detected in mid-June, subsequently evolving in two improved versions. The malware attacks Windows Servers by deploying various evasion methods to skirt its detection. Per Check Point data, several detection engines have registered significantly decreased detection rates, while sensor logs have shown a growing number of KingMiner attacks.

The firm has been monitoring KingMiner activity over the past six months and concluded that the malware has evolved in two new versions. The blog post further explains:

“The malware continuously adds new features and bypass methods to avoid emulation. Mainly, it manipulates the needed files and creates a dependency which is critical during emulation. In addition, as part of the malware’s ongoing evolution, we have found many placeholders for future operations or upcoming updates which will make this malware even harder to detect.”

Check Point has determined that KingMiner uses a private mining pool to bypass any detection of their activities, wherein the pool’s (API) is turned off and the wallet is not used in any public mining pools. The attacks are reportedly widely spread around the world.

According to the company’s findings, the malicious software attempts to guess passwords of the servers it attacks. Once a user downloads and executes the Windows Scriptlet file, it reportedly identifies the relevant Central Processing Unit (CPU) architecture of the device and downloads a payload ZIP file based on the detected CPU architecture.

The malware eventually destroys the relevant .exe file process and deletes the files themselves, if older versions of the attack files exist. Check Point also notes that the file is not an actual ZIP file, but rather an XML file, which will circumvent emulation attempts.

As Cointelegraph reported yesterday, Russian internet security company Kaspersky Labs has found that crypto mining malware became increasingly popular among botnets in 2018. During the Q1 2018 cryptojacking “boom,” the share of cryptojacking malware downloaded by botnets, out of total files, hit 4.6 percent — as compared with 2.9 percent in Q2 2017.

Botnets are reportedly therefore becoming increasingly viewed as a means of spreading crypto mining malware, with cybercriminals increasingly viewing cryptojacking as more favorable than other attack vectors.