August 21, 2019 By Shane Schick 2 min read

A variant of the MyKings botnet that may have been hidden for the last two years could prove even more difficult to remove from infected machines, security researchers warned.

According to Trend Micro, changes in the machine registry of a server belonging to an electronics company based in the Asia-Pacific region led to the discovery of the botnet. Best known as a miner of cryptocurrencies such as Monero and related to the EternalBlue exploit connected with the WannaCry attacks, the latest variant introduces several capabilities to gain and maintain persistence.

How the MyKings Botnet Variant Works

Besides taking advantage of the task scheduler, registry and Windows Management Instrumentation objects on a victim’s server, the MyKings botnet variant also makes use of the bootkit. As the researchers explained, the bootkit provides the attackers with access to the management boot of record (MBR), which identifies where and how the operating system is positioned so it can load a computer’s main storage or memory.

After checking if its code is already written on the disk, the botnet will clean out any other existing infections on the MBR so it can copy more of the code into other sections. This helps protect MyKings from detection tools and from being removed by IT security teams.

The threat becomes even worse as the bootkit writes malware into other areas of the infected machine, reaching functions at the kernel level. The version of Windows running on the infected machine will determine whether the code is injected into File Explorer, Winlogin or Svchost.

The attack was also disguised to resemble a series of threats launched by multiple parties. This included the cryptocurrency miner as well as a Trojan and a backdoor. The scripts that tie MyKings together and connect to remote servers mean there is a limited window of opportunity to get at its components, the researchers added.

Banish the Threat of MyKings

Cryptominers and related threats continue to proliferate through malware and browsing sessions. To stay on top of them, security teams should actively monitor networks and practice file-based detection with sandboxing and machine learning technology.

IBM experts also suggest disabling JavaScript where possible and updating host-based detection signatures to minimize organizational risk.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today