Researchers have published a new report on what they say is a “relentless” crypto mining botnet that lurks behind seemingly innocuous content like JPEG images of Taylor Swift.
Researchers have published a new report on what they deem to be a “relentless” crypto mining botnet that lurks behind seemingly innocuous content such as JPEG images of Taylor Swift.
The botnet — best known as MyKings (alternatively as DarkCloud or Smominru) — has been active since 2016, according to a Dec. 18 news release from Gabor Szappanos at SophosLabs.
While all “underpatched, low-hanging fruit” on the internet — to use Sophos’ phrasing — has long been vulnerable to its attacks, recently the actors behind MyKings have allegedly added bootkit functionality, which makes it all the more resistant to detection and effective removal.
$3M in Monero illicitly mined via MyKings to date
SophosLabs’ report provides a full overview of the botnet’s operations, which Szappanos characterizes as a “relentlessly redundant [i.e. repetitive] attacker” that attacks mostly Windows-based services that hosts database management systems such as MqSQL and MS-SQL, network protocols such as Telnet, and even servers running CCTV camera storage.
The report notes that the botnet’s creators appear to prefer to use open source or other public domain software and are highly skilled at customizing and enhancing source code to insert custom components that can execute attacks and perform automated update processes.
The botnet launches a series of attacks against a server with the aim of delivering a malware executable, frequently a Trojan dubbed “Forshare,” which was found to be the most common payload on infected servers.
Forshare is used to ensure that various different Monero (XMR) cryptominers run on the targeted hardware, with SophosLabs’ estimating that the botnet operators have earned roughly $3 million in Monero to date. This translates into a current income of around $300 per day, due to the cryptocurrency’s recently lower relative valuation.
Not what she seems
Source: SophosLabs Uncut Report
In the studied example — an imperceptibly modified image of the pop star Taylor Swift — SophosLabs explains that the .jpg photo had been uploaded to a public repository, concealing within it an executable that would automatically update the botnet when downloaded.
SophosLabs’ research reveals the sophisticated nature of MyKings’ persistence mechanism, which perpetuates itself through aggressive repetition and self-updating procedures using multiple command combinations.
“Even if most of the components of the botnet are removed from the computer, the remaining ones have the capability to restore it to full strength simply by updating themselves. All of this is orchestrated using self-extracting RAR archives and Windows batch files.”
The report indicates that the countries with the highest number of infected hosts are currently China, Taiwan, Russia, Brazil, the United States, India and Japan.
Recent Monero crimes
In November, Cointelegraph reported that the software available for download on Monero’s official website, getmonero.org, had been briefly compromised to steal cryptocurrency and drain users’ wallets.
That same month, Slovakian software security firm Eset revealed that cybercriminals operating a botnet known as Stantinko had been distributing a Monero cryptocurrency mining module via Youtube.
Source: , CoinTelegraph
Articles listed with Cash Tech News as the author are either general information, or may have been imported from another website, to bring our readers a rich media experience that encompasses articles that we find interesting, as well as those curated by others.
The views and opinions expressed here are for informational purposes only, and should not be confused with professional financial advice. These opinions are solely those of the author and do not necessarily reflect the views of CashTechNews.com. Every investment and trade involves risk. You should conduct your own research, and contact your professional financial advisor before making any investment.
Corrections, feedback, and ideas should be submitted through the website contact form.