English

English

The MyKings botnet is still active and brings in huge sums of money

King

The MyKings botnet (aka Smominru or DarkCloud) is still actively spreading, earning huge sums of money in crypto, five years after it first appeared in the wild.

Being one of the most analyzed botnets in recent history, MyKings is of particular interest to researchers thanks to its vast infrastructure and versatile features, including starter kits, miners, droppers, press thieves. – papers, etc.

The latest team of researchers to look into MyKings is Avast Threat Labs, which has collected 6,700 unique samples for analysis since early 2020.

During the same period, Avast actively prevented more than 144,000 MyKings attacks against its customers, most of them based in Russia, India and Pakistan.

Heat map of victims
Heat map of victims
Source: Avast

The botnet uses many cryptocurrency wallet addresses, some of which have quite high balances. Avast believes the cryptocurrency in these wallets was amassed by the clipboard thief and crypto mining components.

The revenue reflected in MyKings-linked wallet addresses is approximately $ 24.7 million. However, since the botnet uses over 20 cryptocurrencies in total, this amount is only a part of its total financial earnings.

Earnings for three crypto-currencies
Earnings for three crypto-currencies
Source: Avast

To protect the value of the hard-coded wallet address from extraction and analysis, the malware encrypts it with a simple ROT encryption. In general, however, no noticeable upgrades have been spotted on this front in recent samples.

New URL Substitution Tips

Besides wallet address substitution that hijacks transactions, Avast has also spotted a new monetization technique used by MyKings operators involving the Steam gaming platform.

Victimized Steam Users Complain About Changes To Sponsored Links
Victimized Steam Users Complain About Changes To Sponsored Links
Source: Avast

The latest versions of the malware also feature a new URL manipulation system in the clipboard stealing module, which attackers created to hijack trade transactions of Steam objects. The module changes the URL of the commercial offer, so that the actor is placed at the reception, stealing valuables in the game, etc.

Similar functionality has been added for the cloud disk storage service Yandex, with MyKing manipulating URLs sent by users to their acquaintances.

The modified links point to Yandex storage addresses containing RAR or ZIP archives named “photos”, which provide a copy of the MyKings malware to these machines.

Fake
Fake “photo” archives containing malware
Source: Avast

In 2018, MyKings was growing steadily, with malware reaching 520,000 infections and bringing in millions of dollars to its operators.

Today, it seems that the botnet has taken on new proportions while managing to remain hidden and safe from law enforcement repression.

Leave a Comment

Trending this Week