![]() ![]() As it turned out this server is also used to distribute some of the updated components: We noticed a new ftp drop site used by the botnet, residing on the IP address 185.26.112.217. They’ve also enhanced the update mechanism with a twist, rolling into production a previously-developed but unused feature to update the C2 servers used by the bootkit components. The botnet’s operators made significant changes to their infrastructure, moving almost all of the domains they use to distribute the malware (including a few new ones) so it is hosted on a single IP address. ![]() Mykings have taken a slightly different approach: They added references to our global pandemic into the source code of their malware, itself.īut that’s not the only news about this group, which we’ve covered in previous SophosLabs uncut posts. While most attackers who reference ripped-from-the-headlines topics tend to use those lures in malicious emails or text messages, the operators of the MyKings botnet doesn’t use those types of methods to spread infections - they prefer cracking SQL servers or using the EternalBlue exploit to infect computers. ![]() A lot of cybercriminal groups adopt themes drawn from current events to attract victims, and there’s no bigger global news story right now than the ongoing fight against the novel coronavirus or the disease it causes, COVID-19.
0 Comments
Leave a Reply. |