Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response

In May, during the Managed Detection and Response service on-boarding process of an electronics company in the Asia-Pacific region, we noticed suspicious activity via the Trend Micro Deep Discovery Inspector that turned out to be related to EternalBlue, an exploit perhaps more popularly known for being used in the WannaCry attacks. After the discovery, we sent our first alert to the company regarding the possible threat.

A few days later, we managed to find evidence of communication from one of the company’s machines to the following URLs (which we confirmed to be disease vectors):

  • hxxp://js[.]mykings.top:280/v[.]sct
  • hxxp://js[.]mykings.top:280/helloworld[.]msi

The URLs contained the word “mykings,” which was similar to the command-and-control (C&C) servers that were used in our previous analysis of the botnet in August 2017. This gave us the first clues as to what the threat was.

Read more…
Source: Trend Micro