OXFORD, U.K. — 十二月 18, 2019 —

 Sophos (LSE: SOPH), a global leader in next-generation cybersecurity, today published the SophosLabs report MyKings: The Slow but Steady Growth of a Relentless Botnet, which details the morphing attack components of the globally-reaching MyKings cryptominer.

MyKings contains the perfect storm of attack methods highlighted in SophosLabs’ 2020 Threat Report – access through open remote services, botnets to orchestrate parts of the attack, and Living off the Land (LotL) to evade detection – that are used to drop cryptominers. The report covers the interaction between all of these components and their chain reaction to impact computers. The report also analyzes cybercriminal behaviors to further explain the characteristics of MyKings.

“High-end or nation-state sponsored cyberattackers have the resources to purchase or develop zero-day exploits themselves. On the flip side, low-end cybercriminals use cheap or free builder kits available in underground, dark web forums, but lack the skills to do anything except execute the builders,” said Gabor Szappanos, report author and threat research director, SophosLabs. “The MyKings group is in between these two categories; they are the ‘SMB of cybercrime.’ These criminals don’t invest money into expensive tools, but they have the skills and development power to modify and enhance open source components. Their modus operandi is to invest significant amounts of development time into customizing the public domain tools they are using. This is a reminder that cybercriminals are enhancing their capabilities all the time and defenders should adopt this mindset for best security practices.”

Below is an example of how the MyKings attackers enhanced the malware over time:

  • Some older variants of MyKings download an update from 
    ww3.sin[…]g.cn/mw690/717a8b4dgw1f99ly7blarj20c40e4b2a.jpg
appended-executable
  • Subsequently, cybercriminals added support for the EternalBlue exploit into newer versions of MyKings. This functionality is not integrated into the spreader program, but rather exists as a separate executable, converted from Python scripts, that is downloaded and executed by the main spreader program.

Global Distribution

As indicated in the MyKings report, the worldwide activity map includes approximately 45,000 impacted hosts. Top countries include: China, Taiwan, Russia, Brazil, United States, India, and Japan. 

Worldwide MyKings Activity Map

 

Other Key Findings

  • The botnet can spread by attacking weak username/password combinations via MySQL, MSSQL, telnet, ssh, IPC, WMI, RDP, CCTV connections
  • The main payloads are the Forshare trojan and various Monero cryptominers
  • The botnet still mines about 5 XMR ($300), per day

Advice for Defenders

  • Keep computers up-to-date with security patches. MyKings uses EternalBlue which was patched two years ago
  • Change default passwords and apply strong, unique passwords. MyKings uses known weak passwords to attack web services
  • Don’t expose Server Message Block (SMB), Remote Desktop Protocol (RDP) and similar remote access services to the Internet
  • Use up-to-date security software. Sophos Intercept X provides protection at several points

关于 Sophos

Sophos 是全球领先的网络安全公司,凭借其人工智能驱动的平台和专家主导的服务,保护着全球 60 万家组织的安全。Sophos 根据各组织在不同安全成熟度的各式各样的需求提供支持,并与其共同成长,携手应对日益严峻的网络攻击。其解决方案结合机器学习、自动化、实时威胁情报以及来自 Sophos X-Ops 的前线真人专家的专业知识,提供 24/7 全天候高级威胁监控、侦测与响应服务。
Sophos 提供行业领先的托管式侦测与响应 (MDR) 服务,同时配备一整套全面的网络安全技术组合,包括端点、网络、电子邮件和云安全、扩展式侦测与响应 (XDR)、身份辨识威胁侦测与响应 (ITDR),以及下一代 SIEM。结合专家咨询服务,这些能力帮助组织主动降低风险,并更迅速地响应,提供力求在不断变化的威胁面前保持领先所需的可见性和可扩展性。
Sophos 通过全球合作伙伴生态系统进入市场,包括托管式服务提供商 (MSPs)、托管式安全服务提供商 (MSSPs)、经销商、分销商、市场集成商以及网络风险合作伙伴,为组织提供灵活的选择,使其能够在保护业务安全的同时建立值得信赖的合作关系。  Sophos 总部位于英国牛津。如欲了解更多信息,请访问 www.sophos.cn。