Taylor Swift’s Photos Are Full Of Crypto-Mining Botnet Malware MyKingz
Cryptocurrency mining botnet MyKingz uses an image of Taylor Swift, one of the biggest pop stars in the world, to infect the computers of its victims. Then, it uses the resources of infected hosts to mine privacy coin Monero (XMR). MyKingz is not the only name, it also has many such as Smominru, DarkCloud, or Hexmen, depending on the cyber-security firm whose report you’re reading.
In order to do that, MyKingz relies on steganography, the practice of hiding one file (message, image, or video) within another file. Basically, it is like the painter Leonardo de Vinci used to hide hidden numbers in his painting in the past. In the current year, bad actors can easily spread their malicious payloads since gullible users don’t even suspect that a malicious file exists in the first place.
Taylor Swift has become the next victim of botnet malware
The team behind MyKingz conceals a malicious EXE file inside a JPEG image of Swift. Antivirus programs will have a hard time detecting anything apart from the picture itself. Back in 2018, the picture of actress Scarlett Johansson was also used to mine Monero on hacked PostgreSQL databases.
The latest development in this botnet’s method was spotted by UK-based security firm Sophos. The change isn’t a big deal in the grand scheme of things, but it’s both interesting and funny. Because MyKingz’s internet scanning module identifies vulnerable hosts and gains a foothold on infected computers, they need a way to deploy various malware payloads on the hacked systems.
The purpose of using this technique is to trick security software running on enterprise networks. These security products will only see a host system downloading a banal JPEG file, rather than a much dangerous EXE file. The countries with the highest population of infected hosts include China, Taiwan, Russia, Brazil, the USA, India, and Japan.
The real problem here is that MyKingz has proven to be one of the biggest threats to Windows computers and enterprise networks for the past two years. Any system left unpatched or with unprotected ports is very likely to be compromised by this botnet. It targets practically everything, including MySQL, MS-SQL, Telnet, ssh, IPC, WMI, Remote Desktop (RDP), and even the servers that run CCTV camera storage.
Sophos estimates that MyKingz operators are currently making around $300/day, on average, bringing their historical total to around 9,000 XMR, worth more than $3 million today.
Who is botnet MyKingz (Smominru, DarkCloud, or Hexmen)?
MyKingz was first spotted in late 2017. Since then, the botnet has been the largest crypto-mining malware operation on the market. The botnet features one of the most diversified internet scanning and infection mechanisms seen in malware botnets. If there’s a port or vulnerability to be scanned or exploited, MyKingz is involved to some degree.
This has allowed the botnet to grow very quickly. In its first months of life, MyKingz reportedly infected more than 525,000 Windows systems, earning its creator(s) more than $2.3 million worth of Monero (XMR). As reported by U.Today, more than 4% of XMR’s total supply is related to illegal crypto mining.
While some thought the botnet had died out since the last reports in early 2018, Guardicore and Carbon Black reports published over the summer revealed that the botnet was still very much alive, still infecting a large number of computers, estimated at around 4,700 new systems per day.