MyKings Cryptomining Botnet Leverages EternalBlue FlawResearchers Also Find Malicious Code Hiding in Taylor Swift Image
The MyKings botnet, which has been spreading cryptominers and other malware over the last three years, continues to grow in sophistication and now uses steganography techniques to hide malicious code updates, according to a new analysis from Sophos Labs.
Sophos researchers found the malicious code hiding in a JPEG image of pop singer Taylor Swift in an unnamed public repository.
MyKings, which is also known as DarkCloud or Smominru, is leveraging the EternalBlue vulnerability in Windows to help the botnet spread through corporate networks, according to the Sophos Lab analysis.
EternalBlue is a U.S. National Security Agency exploit tool leaked by the Shadow Brokers gang in April 2017, which eventually gave the WannaCry ransomware its worm-like capability to spread from device-to-device. Although Microsoft released patches for EternalBlue two years ago, many Windows systems remain vulnerable to attack developing an exploit for the flaw (see: Eternally Blue? Scanner Finds EternalBlue Still Widespread).
"Enterprise users and CISOs should know that it's been more than two years since a patch has been released that eliminates the vulnerability that EternalBlue depends on," Andrew Brandt, a principal researcher at Sophos Labs who co-authored the report, tells Information Security Media Group. "If you still don't know whether or not you have Windows machines in your environment that haven't received patches in more than two years, you have much bigger problems than just MyKings."
The ability to spread cryptominers, Trojan backdoors and other malware has turned the MyKings botnet into a persistent money-maker for its creators. Since 2016, Sophos Labs estimates that cybercriminals have collected about $3 million in profits, mainly by mining monero virtual currency, which is currently trading at about $47.
Each day, the MyKings gang collects about $300 from its operation, a small sum that shows how persistent this botnet has become over the last three years by taking advantage of unpatched devices and leveraging its ability to scan and exploit unsecured ports and developers using open source code to add malicious tools, according to the Sophos report.
"For the past couple of years, this botnet has been a persistent source of nuisance-grade opportunistic attacks against the underpatched, low-hanging fruit of the internet," Sophos Labs researchers write in a blog post. "It's probably knocking at your firewall right now."
Ability to Spread
The Sophos analysis finds that since 2016, the MyKings botnet has infected at least 44,000 public-facing IP addresses, although the malicious network is likely much larger. An analysis by Carbon Black released in August found that the botnet may have infected over 500,000 vulnerable Windows devices around the world.
The botnet primarily targets Windows devices and looks for open and unsecure ports to enter into a network, according to Sophos. It poses brute-force attacks against, MY-SQL, MS-SQL, Remote Desktop Protocol and Telnet, according to the researchers. In one case, the botnet even took advantage of a flaw in a server responsible for storing data from closed-circuit cameras.
The MyKings botnet has spread across the globe in the past three years, including to the U.S., China, Russia, Brazil and Japan, according to Sophos.
Once inside a device, the MyKings botnet tries to take advantage of the EternalBlue vulnerability to spread to other devices, increasing its overall size. The Sophos researchers also found that MyKings will clear the network of any other competing malware so that it remains dominant in the infected network, and then block the ports to keep other threat actors out.
The botnet has several ways to maintain persistence in a network. One way is through a method called a "bootkit," the Sophos reports notes. Even if an infection is detected and most of the malicious components cleared out of the network, the bootkit will simply relaunch the malware when the device is rebooted and the botnet then starts again, the researchers note.
The MyKings gang also has started to experiment with steganography - the practice of hiding messages or information inside other data or images. This technique has become more popular with threat actors over the last two years, researchers say (see: The Rise of Self-Concealing Steganography).
In the example that Sophos found, the MyKings gang hid a botnet update within a JPEG of Taylor Swift in an unnamed public repository. The researchers found that the Swift image contained a Windows malware executable file that contains a brute-force tool as part of the update.
By using the Taylor Swift image, the MyKings operators are attempting to hide the update from security tools deployed through the network, the researchers note. "This way, the update of the brute force tool could be disguised as the download of an innocent image file," according to the analysis.
The deployment of steganography, combined with exploiting EternalBlue and adding other open source components to the botnet, shows that the MyKings gang is adept at adopting any new methods that help them increase their attacks and the size of the botnet, says Gabor Szappanos, threat research director at Sophos Labs and a co-author of the report.
"They've been active for at least four years now, constantly adapting their methods to the available tools and source codes," Szappanos tells ISMG. "Whenever something useful appeared in public - whether it be a new cryptominer, a backdoor source code or a leaked exploit - they jumped on it and integrated it into their toolset. If security defenses don't react fast enough to a new attack method when it surfaces, these guys will take advantage of it."