The operators of a cryptocurrency-mining botnet are currently using an image of pop singer Taylor Swift to hide malware payloads they send to infected computers — as part of their normal infection chain.
The name of the botnet is MyKingz, also known as Smominru, DarkCloud, or Hexmen, depending on the cyber-security firm whose report you’re reading.
A short history of the MiKingz botnet
MyKingz was first spotted in late 2017. Since then, the botnet has been the largest crypto-mining malware operation on the market.
The group behind MyKingz primarily focuses on infecting Windows systems, where they deploy various cryptocurrency-mining apps, which they use to generate profits by an infected device’s resources.
The botnet features one of the most diversified internet scanning and infection mechanisms seen in malware botnets. If there’s a port or vulnerability to be scanned or exploited, MyKingz is involved to some degree. Everything is targeted, from MySQL to MS-SQL, from Telnet to SSH, and from RDP to rarer stuff like IPC and WMI.
This has allowed the botnet to grow very quickly. In its first months of life, MyKingz reportedly infected more than 525,000 Windows systems, earning its creator(s) more than $2.3 million worth of Monero (XMR).
As the MyKingz gang is also a big fan of the EternalBlue exploit, the botnet buries deep inside corporate networks, and its estimated size of half a million bots is most likely much larger.
While some thought the botnet had died out since the last reports in early 2018, Guardicore and Carbon Black reports published over the summer revealed that the botnet was still very much alive, still infecting a large number of computers, estimated at around 4,700 new systems per day.
The Taylor Swift image
The latest development in this botnet’s modus operandi was spotted this month by UK-based security firm Sophos. The change isn’t a big deal in the grand scheme of things, but it’s both interesting and funny.
As MyKingz’s internet scanning module identifies vulnerable hosts and gains a foothold on infected computers, they need a way to deploy various malware payloads on the hacked systems.
According to Sophos, the MyKingz crew is now experimenting with steganography, a technique that allows them to hide malicious files inside legitimate ones.
In this case, the MyKingz crew is hiding a malicious EXE inside a JPEG image of pop singer Taylor Swift.
The purpose of using this technique is to trick security software running on enterprise networks. These security products will only see a host system downloading a banal JPEG file, rather than a much dangerous EXE file.
MyKingz is not, by any chance, the first malware gang to use steganography or an image of a celebrity. Last year, another malware gang used an image of actress Scarlett Johansson to deploy malware on hacked PostgreSQL databases.
In recent months, malware gangs have also evolved away from images altogether, with some malware operations experimenting with other file formats for steganography-based attacks, such as WAV audio files.
But while this might be a funny observation in recent MyKingz attacks, the use of a Taylor Swift image to hide malware is not the real issue here.
The real issue is that MyKingz has proven to be one of the biggest threats to Windows computers and enterprise networks for the past two years. Any system left unpatched or with unprotected ports is very likely to be compromised by this botnet.
Sophos estimates that MyKingz operators are currently making around $300/day, on average, bringing their historical total to around 9,000 XMR, worth more than $3 million today. Sophos’ latest report on MyKingz is available as a PDF file, here.