Hiding malware downloads in Taylor Swift pics! New SophosLabs report
Credit to Author: Paul Ducklin| Date: Thu, 19 Dec 2019 16:03:43 +0000
SophosLabs just published a new report on an intriguing but lesser-known part of the malware scene known as MyKings.
You probably haven’t heard of MyKings, mainly because it’s not ransomware and the gang isn’t currently slamming businesses up against the wall by demanding money, so it hasn’t made big enough waves to make the headlines.
In simple terms, MyKings is all about illicit Monero cryptomining, and at the current low price of Monero, our researchers estimate that on some days the crooks are only making about $300.
For all we know, MyKings might be little more than a sideline hobby for the people running it (albeit a hobby pulling in a quiet and untaxed $100,000 a year, of course).
Compared to the multimillion dollar extortions that some cybercrime gangs are demanding for ransomware recovery, it’s easy to write off malware like MyKings as unimportant and therefore not worth trying to learn from.
But that couldn’t be further from the truth, because the MyKings story gives a fascinating insight into a type of cybercrime that involves a huge amount of complexity, and has a surprising reach.
According to SophosLabs research, the MyKings crew:
- Currently have about 45,000 infected computers in their Monero-mining botnet, up from about 35,000 a year ago.
- Can upgrade their malware code on infected computers at will.
- Are using surprisingly sophisticated ‘rootkit’ tricks to get kernel access and to avoid detection.
- Also go after your local cryptocoin wallets.
- Employ a ‘fileless’ password stealing tool to crack passwords and spread on your network.
- Use the ETERNALBLUE exploit to spread.
- Kill off numerous security products or stop them loading at all.
- Get rid of rival cryptomining software and other programs of their choice.
- Rewrite your firewall rules to keep rival crooks out.
- Hide malware downloads inside innocent-looking images to complicate detection.
In other words, if you measure the threat of MyKings only in terms of the financial cost of its most obvious side effect, namely the electricity it steals to mine Monero…
…you’re missing a lot of vital lessons.
If the MyKings gang suddenly decided to give up on the cryptomining, for example, the flexible way in which their malware can reconfigure itself via the internet means that they could switch over to almost any other sort of malware-based cybercrime they liked.
Or they could just sell on their whole botnet, complete with auto-upgrade functionality, and who knows where your cybersecurity might go next?
Get the report
The MyKings report was produced by experienced and well-respected researcher Gabor Szappanos, also known as Szapi, whom many of our readers will already know from his previous research papers.
Szapi doesn’t just give you a detailed and informative review of how real-world multi-component malware operates and evolves.
He also tells the story in a way that helps you plan your defences well, and reminds you not to judge a malware book by its cover.
Read the paper now!