The MyKings Botnet (also known as Smominru and DarkCloud) is a botnet that has been in operation for a while and tends to target unpatched or under patched servers that are Windows-based. The servers in question tend to host an assortment of services – WMI, Telnet, RDP (Remote Desktop Protocol), MS-SQL, ssh, MySQL, etc. According to reports, the most affected countries are China (18% of all victims), Taiwan (11%), Russia (7%), Brazil (7%), and the United States (6%). Apparently, there have been 44,000 unique IP addresses approximately, which have tested positive for the presence of the MyKings threat. The end goal of the MyKings Botnet is to install cryptominers on the compromised hosts and use the Forshare Trojan to make sure that all the planted miners are running as intended. The cryptominers used in this campaign are mining for the Monero cryptocurrency. It has been estimated that so far, the operators of the MyKings Botnet have generated a staggering 9,000 XMR, which is approximately $3 million.
Removes Competing Threats from the Compromised Host
The MyKings Botnet is able to recognize whether there are other malware strains that are present on the compromised host. In case the threat detects the presence of competing malware, it will be removed to ensure maximum efficiency. Furthermore, the MyKings malware is able to scan the processes for any that may be linked to anti-virus tools. If any are detected, the MyKings threat will make sure to terminate them so that it would run uninterrupted. The MyKings components are able to self-update, which makes sure that the threat remains potent. This is achieved with the help of Windows batch files and RAR archives that are able to self-extract.
The operators of the MyKings Botnet have opted to use a rather innovative technique to hide its corrupted payloads – steganography. The attackers have planted the bad executable of the threat in a seemingly harmless photograph of Taylor Swift. They use a modified .jpg file to hide the malicious data. However, malware experts were able to spot it, as it contains the typical MZ header text and bytes. This trick helps the MyKings threat to apply its newest updates. The MyKings threat will tamper with the Windows Registry to gain to gain persistence on the infected host. A bootkit makes sure that the MyKings malware is run upon rebooting the system.
The MyKings Botnet, so far, hs generated an impressive amount of cash for its operators, and having in mind that they keep updating the threat, it is likely that they will not halt this operation in the near future.