Light Dark
August 21, 2019 By Shane Schick 2 min read

A variant of the MyKings botnet that may have been hidden for the last two years could prove even more difficult to remove from infected machines, security researchers warned.

According to Trend Micro, changes in the machine registry of a server belonging to an electronics company based in the Asia-Pacific region led to the discovery of the botnet. Best known as a miner of cryptocurrencies such as Monero and related to the EternalBlue exploit connected with the WannaCry attacks, the latest variant introduces several capabilities to gain and maintain persistence.

How the MyKings Botnet Variant Works

Besides taking advantage of the task scheduler, registry and Windows Management Instrumentation objects on a victim’s server, the MyKings botnet variant also makes use of the bootkit. As the researchers explained, the bootkit provides the attackers with access to the management boot of record (MBR), which identifies where and how the operating system is positioned so it can load a computer’s main storage or memory.

After checking if its code is already written on the disk, the botnet will clean out any other existing infections on the MBR so it can copy more of the code into other sections. This helps protect MyKings from detection tools and from being removed by IT security teams.

The threat becomes even worse as the bootkit writes malware into other areas of the infected machine, reaching functions at the kernel level. The version of Windows running on the infected machine will determine whether the code is injected into File Explorer, Winlogin or Svchost.

The attack was also disguised to resemble a series of threats launched by multiple parties. This included the cryptocurrency miner as well as a Trojan and a backdoor. The scripts that tie MyKings together and connect to remote servers mean there is a limited window of opportunity to get at its components, the researchers added.

Banish the Threat of MyKings

Cryptominers and related threats continue to proliferate through malware and browsing sessions. To stay on top of them, security teams should actively monitor networks and practice file-based detection with sandboxing and machine learning technology.

IBM experts also suggest disabling JavaScript where possible and updating host-based detection signatures to minimize organizational risk.

 |  |  |  |  |  |  |  |  | 
Shane Schick
Writer & Editor

More from

November 22, 2024

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

November 21, 2024

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

November 20, 2024

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature