This Cryptocurrency Mining Malware Uses 'Taylor Swift' To Appeal Potential Victims

Taylor Swift

Taylor Swift is an American singer and a songwriter. Best known for her narrative songs about her personal life, Swift has received widespread media coverage.

She started her debut at a very young age, and since then, her career escalated. It didn't take that long for Swift to become one of the best known singer worldwide. As "America's Sweetheart", and a "sex symbol" as mentioned by Bloomberg L.P., there is no doubt that images of her can attract a massive audience.

And this fact apparently, was leveraged by hackers.

According to a report from UK-based cybersecurity firm Sophos, a cryptocurrency-mining botnet is infecting computers with an image of Taylor Swift to spread its malware as widely as possible.

MyKingz, which is the operator, or also known as Smominru, DarkCloud, or Hexmen, leverages steganography in this Swift-inspired malware. This technique is a method to hide malicious files inside legitimate ones, obscuring their purposes.

In this case, the hackers hide malicious executable file inside a legitimate JPEG image of Swift.

The malware uses the EternalBlue exploit and other exploits leaked by the Shadow Brokers.

Sophos warned that:

"There’s a pretty good chance everyone who reads this story will have had some degree of interaction with a botnet we call MyKingz (and others call DarkCloud or Smominru), whether you know it or not. For the past couple of years, this botnet has been a persistent source of nuisance-grade opportunistic attacks against the underpatched, low-hanging fruit of the internet. It’s probably knocking at your firewall right now. They certainly wouldn’t be the first."

First gaining media coverage in 2017, MyKingz has been known to be the people behind some of the largest cryptocurrency-mining campaigns.

Taylor Swift malware image

Using one of the most sophisticated scanning and infection mechanism ever observed in botnets, MyKingz targets MySQL, MS-SQL, Telnet, ssh, IPC, WMI, Remote Desktop (RDP), and also servers that run CCTV camera storage.

During its first months, MyKingz has infected more than 525,000 Windows systems, and earned at least $2.3 million worth of Monero (XMR), with victims coming from people in China, Taiwan, Russia, Brazil, USA, India, and Japan.

It’s estimated that MyKingz infects approximately 4,700 new systems every day.

"The infected endpoints we observed totaled about 43900 unique IP addresses," said Sophos.

Fortunately, attacks by MyKingz botnets follow a predictable pattern, and they are somehow redundant. For example, components of MyKingz botnets have similar self-update procedure. Everything repeats itself several times over, but using a variety of command combinations.

"MyKingz also redundantly employs a number of methods of establishing persistence on the infected host: It uses a bootkit, which launches the botnet immediately upon reboot; sets Registry run keys; and creates a number of Scheduled Tasks and WMI listeners," continued Sophos.

And here, the malware hidden inside Taylor Swift image is part of of MyKingz's constant refinement.

By hiding malware payload in plain sight, the hackers aim to spread its malware as vast and as fast as possible.