Security researchers discovered that cryptocurrency-mining botnet operators were using pop singer Taylor Swift’s image to hide their malware payloads. The botnet, dubbed as MyKingz, was spotted by UK-based security firm Sophos. MyKingz was active since 2016 and is also known as Smominru, DarkCloud, and Hexmen.
According to Sophos, attackers behind MyKingz are targeting Windows systems to deploy various cryptocurrency-mining apps. The group identifies vulnerable hosts and gains access to infected computers to install malware payloads on the compromised systems.
Researchers stated that currently, the MyKingz group is using steganography techniques to hide malicious files inside legitimate ones. It’s discovered that the group hiding a malicious EXE inside a JPEG image of pop singer Taylor Swift.
Steganography is an ancient practice of hiding secret content and text messages inside non-suspicious messages. Cybercriminals use Steganography to hide malicious code within the image/audio/text file that is mainly employed by exploiting kits to hide their malvertising traffic.
“The components of the botnet are very much interlinked, and there are many possible infection paths, so we start our discussion with the bootkit loader, keeping in mind that it is not the initial source that will be discussed later in a separate section,” Sophos said in a statement.
According to Sophos, the top infected countries by MyKingz include China, Taiwan, Russia, Brazil, the USA, India, and Japan.
Researchers stated that the MyKingz botnet is the biggest threat to Windows computers and enterprise networks. Any unpatched systems may likely to be compromised by MyKingz group.
MyKingz is not the only hacker group to use steganography techniques.
Recently, Trend Micro stated that cybercriminals are using steganography to infect the targeted systems. It’s believed that the activity was distributing malicious codes since 2018 through fileless methods, steganography techniques, and hijacking email accounts to deliver the information-stealing malware such as Emotet, Bebloh, and Ursnif.
In similar research, Matthew Rowen, a security researcher from Bromium, discovered ransomware embedded into a downloadable Super Mario image using steganography method. The attackers send emails with an attached spreadsheet that has an embedded malware and a macro. The attachment prompts the user to click on and enable a content link to deploy the malware.