August 21, 2019 By Shane Schick 2 min read

A variant of the MyKings botnet that may have been hidden for the last two years could prove even more difficult to remove from infected machines, security researchers warned.

According to Trend Micro, changes in the machine registry of a server belonging to an electronics company based in the Asia-Pacific region led to the discovery of the botnet. Best known as a miner of cryptocurrencies such as Monero and related to the EternalBlue exploit connected with the WannaCry attacks, the latest variant introduces several capabilities to gain and maintain persistence.

How the MyKings Botnet Variant Works

Besides taking advantage of the task scheduler, registry and Windows Management Instrumentation objects on a victim’s server, the MyKings botnet variant also makes use of the bootkit. As the researchers explained, the bootkit provides the attackers with access to the management boot of record (MBR), which identifies where and how the operating system is positioned so it can load a computer’s main storage or memory.

After checking if its code is already written on the disk, the botnet will clean out any other existing infections on the MBR so it can copy more of the code into other sections. This helps protect MyKings from detection tools and from being removed by IT security teams.

The threat becomes even worse as the bootkit writes malware into other areas of the infected machine, reaching functions at the kernel level. The version of Windows running on the infected machine will determine whether the code is injected into File Explorer, Winlogin or Svchost.

The attack was also disguised to resemble a series of threats launched by multiple parties. This included the cryptocurrency miner as well as a Trojan and a backdoor. The scripts that tie MyKings together and connect to remote servers mean there is a limited window of opportunity to get at its components, the researchers added.

Banish the Threat of MyKings

Cryptominers and related threats continue to proliferate through malware and browsing sessions. To stay on top of them, security teams should actively monitor networks and practice file-based detection with sandboxing and machine learning technology.

IBM experts also suggest disabling JavaScript where possible and updating host-based detection signatures to minimize organizational risk.

More from

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

How I got started: Cyber AI/ML engineer

3 min read - As generative AI goes mainstream, it highlights the increasing demand for AI cybersecurity professionals like Maria Pospelova. Pospelova is currently a senior data scientist, and data science team lead at OpenText Cybersecurity. She also worked at Interest, an AI cybersecurity company acquired by MicroFocus and then by OpenText. She continues as part of that team today.Did you go to college? What did you go to school for?Pospelova: I graduated with a bachelor’s degree in computer science and a master’s degree…

Europe’s Cyber Resilience Act: Redefining open source

3 min read - Amid an increasingly complex threat landscape, we find ourselves at a crossroads where law, technology and community converge. As such, cyber resilience is more crucial than ever. At its heart, cyber resilience means maintaining a robust security posture despite adverse cyber events and being able to anticipate, withstand, recover from and adapt to such incidents. While new data privacy and protection regulations like GDPR, HIPAA and CCPA are being introduced more frequently than ever, did you know that there is new…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today