Concealed crypto mining – using infected computers to produce hashes for specific types of coins – is using more ingenious methods to hide from operating systems. The latest exploit involves an infected image of Taylor Swift.
Sophos Labs Discovers Botnet in Taylor Swift JPEG
Analysis by Sophos Labs, a digital security firm, shows hackers are now trying to infect computers by hiding a malicious EXE file inside what looks like an innocent JPEG image. Usually, a popular, much-searched celebrity does the trick, and this time they chose American pop singer, Taylor Swift.
More about #MyKings botnet…
In this sample image, a Windows malware executable (identifiable by its characteristic MZ header bytes and text) appears within the image data in a modified .jpg photo of Taylor Swift.
See full report by @GaborSzappanos: https://t.co/au5hK6F2rn pic.twitter.com/5SDr9kq2Xh
— SophosLabs (@SophosLabs) December 19, 2019
The activity comes from a hacker group identified as MyKings, which works to attack Windows machines. Their approach also includes infecting a WAV file, using a similar technique.
The latest discovery shows concealed mining is not going away. Still, the latest Kaspersky reports on risk threats reveal mining malware is slowing down, while crypto ransoms and sextortions increased in the past months.
Concealed Mining Continues, with Lower Asset Prices
One of the reasons for the lowered usage of botnets is the sliding price of most crypto assets. Even Monero (XMR), the most prevalent coin mined on botnets, has fallen significantly to below $50. Other coins that allow CPU mining are also offering very low value.
Additionally, Monero has altered its mining algorithm, in effect requiring hackers to re-establish a new approach to mining. Monero has switched to a RandomX algorithm, which is still accessible for CPU and GPU mining.
The current threat affects Windows-based servers, and Sophos Labs has discovered different attempts to inject malicious code disguised as open-source software. The Sophos team explained,
Attacks by the MyKings botnet operators follow a predictable pattern: The botnet attempts a stable of different attacks against a server. Unpatched, or underpatched, Windows servers may be vulnerable to a wide range of attacks, the goal of which is to deliver a malware executable, more often than not, a Trojan named Forshare
The MyKings botnet is also one of the most relentless, constantly reappearing and aiming at underpatched Windows machines. It is considered one of the most persistent and large-scale security threats against the operating system, exploiting almost all potential openings for vulnerabilities.
Hidden mining is harder to catch, in comparison to the once highly prevalent browser mining. Botnets have been discovered to affect servers and computers even at institutions like CERN. The malicious malware is becoming more difficult to detect, as it hides its activity processes more successfully. For consumer electronics, mining is not so easily concealed, and may be extremely damaging.
What do you think about the latest threat and crypto mining attacks? Share your thoughts in the comments section below!
Images via Shutterstock, Twitter @SophosLabs
