Crypto mining botnet uses Taylor Swift photos to spread malware

Getting your Trinity Audio player ready...

A new crypto mining botnet has been discovered which uses an image of pop star Taylor Swift to propagate and infect its victims.

According to reports, the MyKings botnet, also known as Hexmen, Smominru and DarkCloud, uses a technique known as steganography to hide malicious scripts inside legitimate files. The Taylor Swift scam involves hiding an executable file within a JPG of Swift, allowing the malicious script to travel virtually undetected through PC systems.

In its analysis of the botnet, cybersecurity firm Sophos warned that the botnet was prolific, suggesting most people have already had some degree of interaction with the malware:

“There’s a pretty good chance everyone who reads this story will have had some degree of interaction with a botnet we call MyKings (and others call DarkCloud or Smominru), whether you know it or not. For the past couple of years, this botnet has been a persistent source of nuisance-grade opportunistic attacks against the underpatched, low-hanging fruit of the internet. It’s probably knocking at your firewall right now. They certainly wouldn’t be the first.”

MyKings was first reported back in 2017, and has since gone on to become one of the most extensively spread mining malware scripts in the world.

With some of the most sophisticated features of malware of its kind, the script primarily focuses on targeting Windows-based systems, targeting everything from MySQL, ssh and IPC through to servers powering CCTV networks.

In the first few months since it was discovered, the botnet had infected over 525,000 Windows systems resulting in $2.3 million in losses for its victims, raised in Monero.

The botnet is thought to affect as many as 4,700 new systems per day. A crypto mining script, it runs in the background by harvesting unused resources to mine for Monero.

The script runs on Monero primarily because of the privacy features of the coin, which have allowed it to emerge as one of the cryptocurrencies of choice for scammers and fraudsters.

According to Sophos, the botnet is still pulling around $300 a day for the scammers, despite a significant fall in the value of Monero since it was first uncovered.