MyKings botnet operators already amassed at least $24 million

The MyKings botnet (aka Smominru or DarkCloud) is still alive and continues to spread, allowing its operators to make huge amounts of money.

Avast Threat Labs researchers reported that the MyKings botnet (aka Smominru or DarkCloud) is still alive and is allowing its operators to earn huge amounts of money via cryptomining activities. Avast researchers reported that since 2019, MyKings operators have amassed at least $24 million in the Bitcoin, Ethereum, and Dogecoin. However, experts pointed out that the botnet uses more than 20 cryptocurrencies in total, for this reason the total financial gains could be greater than $24M.

“The main purpose of the clipboard stealer is rather simple: checking the clipboard for specific content and manipulating it in case it matches predefined regular expressions. This malware counts on the fact that users do not expect to paste values different from the one that they copied. It is easy to notice when someone forgets to copy and paste something completely different (e.g. a text instead of an account number), but it takes special attention to notice the change of a long string of random numbers and letters to a very similar looking string, such as cryptowallet addresses.” reads the analysis published by the expert. “This process of swapping is done using functions OpenClipboard, EmptyClipboard, SetClipboardData and CloseClipboard. Even though this functionality is quite simple, it is concerning that attackers could have gained over $24,700,000 using such a simple method.”

.The malware was first spotted in February 2018 by researchers from Proofpoint when the bot was using the EternalBlue exploit to infect Windows computers and recruit them in Monero cryptocurrency mining activities. According to the researchers, the Smominru botnet has been active at least since 2016 and at the time of its discovery infected more than 526,000 Windows computers.

The Avast researchers have analyzed 6,700 unique samples of the bot since the beginning of 2020 and claim to have protected over 144,000 Avast customers from attacks launched through the MyKings botnet. Most of the infections were observed in Russia, India, and Pakistan.

One of the defense mechanisms used by bot authors is to hide the addresses of cryptowallets used in the campaign.

“For protection against quick analysis and against static extraction with regular expressions, the substitute values are encrypted. Encryption used is a very simple ROT cipher, where the key is set to -1.” continues the analysis.

Avast researchers also discovered that botnet operators also monetize via Steam trade frauds.

“This kind of expression is supposed to match Steam trade offer links. Users on the Steam platform can create trade offers to trade what are usually in-game items from their inventory with other users. The value of the items that can be traded starts at only a few cents, but the most expensive items are being sold for hundreds or thousands dollars.” continues the report. “The clipboard stealer manipulates the trade offer URL and changes the receiving side, so Steam users send their items to someone completely unknown.”

The report published by AVAST also includes Indicators of Compromise (IoC).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MyKings botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]