The MyKings botnet (aka Smominru and DarkCloud) is still active, and its operators “earn” huge amounts of cryptocurrency: according to Avast research, at least 24 million US dollars (about 1.72 billion rubles) in Bitcoin are stored on the wallets of attackers. Ethereum and Dogecoin. It is not known if all the funds were stolen from MyKings, but at least some of this amount was accurately obtained using this botnet.
MyKings is one of the most analyzed botnets in recent years, and it is especially interesting for researchers due to its extensive infrastructure and numerous features, including rootkits, miners, droppers, clipboard data-stealing solutions and much more.
Analysts at Avast Threat Labs say they have collected over 6,700 unique MyKings samples for analysis (since early 2020). During the same period of time, Avast products protected more than 144,000 users from this malware, and most of the attacks occurred in Russia, India and Pakistan.
The way MyKings works is very simple: after installation, the malware keeps track of what the victim is copying to the clipboard. Having found the address of the user’s cryptocurrency wallet in the buffer, the malware replaces it with the address of the wallet of its operators. After that, when the victim inserts from the buffer (as she thinks) the correct address of her crypto wallet, she is actually inserting the address of the criminals’ wallet. Thus, the cryptocurrency is sent to the pockets of the attackers.
This is a simple but very effective trick: hackers rely on users not to notice that a long and complex account number has changed.
The botnet uses a variety of cryptocurrency wallets, some of which are quite expensive. Avast reports that the cryptocurrency in these wallets was collected mainly by spoofing addresses in the clipboard, as well as mining.
It is also reported that Avast experts have discovered a new monetization method used by MyKings operators – through the Steam gaming platform. Recent versions of the malware have a new system for manipulating URLs in the module for stealing data from the clipboard. This system is designed to intercept the URL of Steam trade transactions. The module replaces the address of the trade offer, and therefore the hacker becomes the receiving party in the transaction, who eventually steals the user’s valuable game items.
MyKing has similar functionality for the Yandex. Disk cloud service: in this case, the malware manipulates URLs that the user communicates to his friends or colleagues. Spoofed links also lead to Yandex.Disk, but point to RAR or ZIP archives with the name Photos, which deliver the MyKings malware itself to the victim’s machines.
Catch up on more stories here
Follow us on Facebook here