A crypto-mining botnet hiding in s a photo of Taylor Swift: Research

According to recent reports, online criminals have been using a photo of a pop singer Taylor Swift to hide malware payloads. The photo was used to infect victims’ computers with malware and allow hackers to include the infected device to their crypto-mining botnet. The botnet’s name is MyKingz, although it is known under other names, including Smominru, Hexmen, and DarkCloud. It first emerged around two years ago, in the second half of 2017. It became well-known in the last two years for being the largest crypto-mining malware operation in the wild. Hackers behind the malware were mostly attacking Windows OS, in order to deploy crypto-mining apps from which they generated profit while using the victim’s computing power and other resources. The botnet is also infamous for having extremely diversified scanning and infection mechanisms among its kind. Whenever there is a flaw or an unsecured port to be exploited, the botnet will almost certainly get involved. Extreme scanning and infection capabilities allowed it to spread and grow extremely quickly. When it initially emerged, it supposedly managed to infect over half a million Windows systems within only a few months. Meanwhile, hackers earned over $2.3 million in Monero (XMR). The botnet is also known for attacks on corporate networks, as it seems to be very skilled at using the EternalBlue exploit.

The botnet re-emerged with new techniques

The news about MyKingz’s attacks started dying down in early 2018, which led many to believe that the hackers may have withdrawn. However, in the summer of this year, a number of new reports from the likes of Carbon Black and Guardicore revealed that it is still alive and active. According to the latest reports by a UK company Sophos, the hackers seem to be experimenting with steganography, which is the ability to hide malicious files inside seemingly legitimate ones, such as images. Specifically, they started using the image of pop singer Taylor Swift. That way, they can trick security software into allowing the malware to pass its defenses as a safe file, which is actually infected beneath the surface. This is not exactly a new technique, nor is the use of celebrities’ photos. However, malware gangs have mostly moved away from using such techniques on images, and are now using them on WAV audio files.