MyKings/Smominru botnet multi-purpose botnet activity detected
Target: Systems which have not patched relevant vulnerabilities, (CVE’s 2017-0144 & 2017-0176)
Attack Vector: Exploitation of request handling and buffer overflow to allow cryptomining software distribution
Summary: Since April 2017, MyKings botnet has been active in a number of fields. MyKings stands out from a typical botnet in that it consists of a range of sub-botnets. Over the past 10 months, it appears to have has been utilized for a variety of malicious activities.
Recently the malware has been observed using cryptomining as a new attack vector. This involves threat actors using malicious exploits which then allow compromised machines to mine for cryptocurrency on their behalf. While the primary focus of the operation has been cryptomining, several other attack vectors have also been deployed. As of the end of January 2018, the botnet has allowed the threat actors to mine between $2.8M and $3.6M of Monero cryptocurrency. Such a healthy profit could be reinvested by the threat actors, allowing them to develop further botnets which could be used to generate larger scale attacks, to carry out further research on new vulnerabilities or simply using their large budget to purchase new credentials and tools from underground markets to facilitate further attacks.
Risk assessment summary: The threat is assessed as 3d MODERATE. There is a clear threat and it has been observed that this type of attack is on an upward trend, with the botnet being used effectively for a range of activities, as well as now cryptomining. This can be observed by the large amounts of currency which have been obtained. There have been recent cases of the attack vector actually stalling business operations for days and weeks at a time. Yet it should be noted that the vulnerabilities which are being exploited are not new flaws, and have patches available, meaning that the amount of vulnerable machines is always decreasing. As well as this, companies can restrict their susceptibility to this attack by configuring ports correctly. Despite this, the botnet holds a certain level of risk, as it has been exploited in the wild.