MyKingz mining botnet uses Taylor Swift photo to conceal payload

Sophos experts noted that the MyKingz botnet, also known as Smominru, DarkCloud, and Hexmen, now uses steganography to infect targeted machines. For these purposes, the criminals chose a JPG file – a photo of the singer Taylor Swift.

The MyKingz botnet was first discovered by experts at the end of 2017. Since then, it has become one of the largest mining threats in the world. Researchers acknowledge that MyKingz has one of the most serious and well-thought-out mechanisms and infections in the “market” of botnets. So, the malware does not lose sight of any port that can be scanned, and not a single vulnerability that can be exploited. Everything from MySQL to MS-SQL, from Telnet to SSH, and from RDP to rarer things like IPC and WMI is at the forefront of the botnet.

Thanks to this approach, the botnet has grown very quickly. So, it was reported that only in the first months of its existence, MyKingz infected more than 525,000 Windows systems, bringing its operators more than $ 2.3 million (about 8900 Monero).

Worse, since Malvari developers often use the EternalBlue exploit, the threat often penetrates corporate networks, which means that the actual size of the botnet and the proceeds of the criminals are likely to be much higher than the figures cited by experts. For example, Sophos estimates that MyKingz’s operators currently receive about $ 300 a day, bringing their total revenue to about 9,000 XMR, which at the current rate is more than $ 3 million.

Although some experts thought that the botnet had ceased to exist, reports by Guardicore and Carbon Black published this summer showed that the botnet is still alive and infects many computers: about 4700 new systems per day.

Now, Sophos experts have noticed that changes have again appeared in the botnet’s behavior. Since the MyKingz scan module only detects vulnerable hosts and secures itself to infected computers, hackers also need a way to deploy malware in hacked systems. To do this, MyKingz operators are currently experimenting with steganography: a malicious EXE file is hidden inside a JPG image with a photo of singer Taylor Swift.