MyKings botnet conceals code in Taylor Swift image

News by Rene Millman

A cryptomining botnet is using code hidden in a Taylor Swift photo to infect computers around the world.

According to a report by researchers at Sophos, the MyKings botnet (also known as DarkCloud and Smominru) spreads by attacking weak username/password combinations in MySQL, MSSQL, telnet, ssh, IPC, WMI, RDP, and in closed-circuit TV servers, and additionally uses the EternalBlue exploit for lateral movement.

So far, the malware has infected 45,000 hosts and the top countries for the malware were China, Taiwan, Russia, Brazil, United States, India, and Japan. Researchers said that infections were also spotted in other countries too.

While the malware was first spotted in 2017, one variant uses an image of Taylor Swift to conceal malicious code via steganographic techniques to increase its chances of evading detection for security products. A closer look at the picture file reveals that beyond the image content it contains an appended executable a VMProtect packed version of the SQL brute forcer. This way the update of the brute forcer tool could be disguised as the download of an innocent image file. 

During the initial infection processes, the botnet secures the computer; removes processes, files, and settings belonging to malware families operated by other threat actors; and closes the communication ports that could be used to re-infect the computer. The main payloads are the Forshare trojan and various Monero cryptominers.

The criminals behind the malware have made about 9,000 XMR in the past, estimated to be worth about US$3 million (£2.3 million). MyKings' current income is more moderate (mainly due to the huge drop in Monero exchange rate), but the botnet is still mining about US$300 (£240) per day. It also prefers to use open source or other public domain software and has enough skills to make customisation and enhancements to the source code. 

"High-end or nation-state sponsored cyber-attackers have the resources to purchase or develop zero-day exploits themselves. On the flip side, low-end cyber-criminals use cheap or free builder kits available in underground, dark web forums, but lack the skills to do anything except execute the builders," said Gabor Szappanos, report author and threat research director, SophosLabs. 

Szappanos added that the MyKings group is in between these two categories; they are the ‘SMB of cyber-crime.’ These criminals don’t invest money into expensive tools, but they have the skills and development power to modify and enhance open source components. 

"Their modus operandi is to invest significant amounts of development time into customising the public domain tools they are using. This is a reminder that cyber-criminals are enhancing their capabilities all the time and defenders should adopt this mindset for best security practices," he said.

The report’s author urged organisations to keep computers up to date with security patches and change default passwords and apply strong, unique passwords in order to prevent infections.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews