August 21, 2019 By Shane Schick 2 min read

A variant of the MyKings botnet that may have been hidden for the last two years could prove even more difficult to remove from infected machines, security researchers warned.

According to Trend Micro, changes in the machine registry of a server belonging to an electronics company based in the Asia-Pacific region led to the discovery of the botnet. Best known as a miner of cryptocurrencies such as Monero and related to the EternalBlue exploit connected with the WannaCry attacks, the latest variant introduces several capabilities to gain and maintain persistence.

How the MyKings Botnet Variant Works

Besides taking advantage of the task scheduler, registry and Windows Management Instrumentation objects on a victim’s server, the MyKings botnet variant also makes use of the bootkit. As the researchers explained, the bootkit provides the attackers with access to the management boot of record (MBR), which identifies where and how the operating system is positioned so it can load a computer’s main storage or memory.

After checking if its code is already written on the disk, the botnet will clean out any other existing infections on the MBR so it can copy more of the code into other sections. This helps protect MyKings from detection tools and from being removed by IT security teams.

The threat becomes even worse as the bootkit writes malware into other areas of the infected machine, reaching functions at the kernel level. The version of Windows running on the infected machine will determine whether the code is injected into File Explorer, Winlogin or Svchost.

The attack was also disguised to resemble a series of threats launched by multiple parties. This included the cryptocurrency miner as well as a Trojan and a backdoor. The scripts that tie MyKings together and connect to remote servers mean there is a limited window of opportunity to get at its components, the researchers added.

Banish the Threat of MyKings

Cryptominers and related threats continue to proliferate through malware and browsing sessions. To stay on top of them, security teams should actively monitor networks and practice file-based detection with sandboxing and machine learning technology.

IBM experts also suggest disabling JavaScript where possible and updating host-based detection signatures to minimize organizational risk.

More from

DHS awards significant grant to improve tribal cybersecurity

4 min read - The Department of Homeland Security (DHS) has awarded $18.2 million in grants through the Tribal Cybersecurity Grant Program to boost cybersecurity defenses among Native American Indian Tribes. The program takes a big step in addressing the unique digital threats faced by tribal communities — a dedicated effort to improve cybersecurity infrastructure across these regions. The $18.2 million grant is just one component of DHS's broader strategy to enhance national cybersecurity. Administered by the Federal Emergency Management Agency (FEMA) in partnership…

ChatGPT 4 can exploit 87% of one-day vulnerabilities: Is it really that impressive?

2 min read - After reading about the recent cybersecurity research by Richard Fang, Rohan Bindu, Akul Gupta and Daniel Kang, I had questions. While initially impressed that ChatGPT 4 can exploit the vast majority of one-day vulnerabilities, I started thinking about what the results really mean in the grand scheme of cybersecurity. Most importantly, I wondered how a human cybersecurity professional’s results for the same tasks would compare.To get some answers, I talked with Shanchieh Yang, Director of Research at the Rochester Institute…

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes. After the Log4Shell vulnerability, securing open-source software became a top priority for the federal…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today