A popular botnet group is currently using the image of Taylor Swift to shield themselves from virus scanners. The objective of this methodology is to hide and implant malicious code that mines the victim’s resources to earn the cryptocurrency.
A robot network, popularly botnet, is a specific network created by devices with each acting as a bot in the ecosystem. This could be fairly used for communication, but at the same time, is used by attackers for denial-of-service attacks.
The MyKings Mafia
A botnet called MyKings (a.k.a Smominru, Hexmen, DarkCloud, etc named by several security groups) is out in wild since late 2017. MyKings has grown into top spot in less than a year’s in its malicious operation industry. It’s so sophisticated that, it actively exploited more than 500,000 systems with its botnet and has earned over $3 million to date.
The primary activity of this botnet is to scan for vulnerable systems across the web and deploys its malicious dump. For that, it exploits the vulnerabilities as Telnet, WMI, SSH, MySQL, MS-SQL, RDP and IPC on loose systems and starts entering into the system and if possible, crawling onto the entire network. Once settled, it then dumps miners to mine cryptocurrencies remotely.
EternalBlue cyber exploit is further helped to MyKings, as they use it to circumvent security checks and penetrate into corporate networks actively. At present, MyKings is found trying a new method of operation using steganography, where it hides its dump behind an image, bypassing the security scans by antivirus softwares.
The Mining Hack
This botnet, as discovered by Sophos security firm, is now using steganography to hide its dump (in .exe format) within images! Its latest methodology is found to be hiding .exe (an executable file) within a JPEG image file, which is of Taylor Swift’s.
As antivirus softwares check only the legitimate JPEG file, the dangerous .exe file self executes and runs a cryptocurrency miner to earn Monero. All these earned coins were sent to creators with them earning about $300/day! There are incidents where such botnets tried hiding behind WAV files and others.
Source: Sophos
