Five years after it first appeared in the wild, the MyKings botnet (aka Smominru or DarkCloud) is still actively spreading, earning huge amount of money in cryptocurrency. Since 2019, the operators behind MyKings have amassed at least $24 million in Bitcoin, Ethereum and Dogecoin cryptocurrency, researchers at Avast revealed.
“We can safely assume that this number is in reality higher, because the amount consists of money gained in only three cryptocurrencies fr om more than 20 in total used in malware. It is also important to note here that not all of the money present in the cryptowallets necessarily comes from the MyKings campaign alone,” they wrote in a report.
The botnet uses many cryptowallet addresses, some of which have quite high balances. The researchers believe that part of this money was gained through a clipboard stealer and cryptomining software.
Active since at least 2016, the botnet’s vast infrastructure consists of multiple parts and modules, including bootkits, coin miners, droppers, clipboard stealers, and more.
The researchers said that since the beginning of 2020 they discovered over 6,000 unique MyKings samples, and that during this period Avast prevented 144,000 attacks against its clients, with the majority of victims located in Russia, India, and Pakistan.
The malware has several defense mechanisms to help it avoid detection.
“Another mechanism serving as a defense of this malware is trying to hide the addresses of cryptowallets belonging to attackers. When the malware matches any of the regular expressions in the clipboard, it substitutes the clipboard content with a value that is hardcoded inside the malware sample. For protection against quick analysis and against static extraction with regular expressions, the substitute values are encrypted. Encryption used is a very simple ROT cipher, wh ere the key is set to -1,” Avast notes.
However, the researchers said they have not noticed any significant upgrades in the recent samples.
In addition to wallet address substitution that hijacks transactions, MyKings operators implemented a new monetization technique involving the Steam gaming platform.
The most recent versions of the malware come with a new URL manipulation system in the clipboard stealing module, used to hijack trade transactions of Steam objects. The module changes the URL of the commercial offer, so Steam users send their items to attackers instead of intended recipient.
Similar functionality has been added for the cloud disk storage service Yandex, with MyKings modifying URLs sent by users to their acquaintances.
“The objective of this technique is to match links that users are sending to their friends and family to share files or photos. If the malware runs on the sender’s machine, the infected victim is sending wrong links to all their acquaintances. If the malware runs on the machine of the user that receives the link and copy/pastes it to the browser address bar, the victim again opens a wrong link. In both cases, the wrong link gets opened by someone unaware that the content is wrong. In both cases, the victim downloads files from that link and opens them, because there is no reason to not trust the files received from someone they know,” the researchers said.
The tampered links lead to Yandex storage addresses containing RAR or ZIP archives named “photos”, which infect the machines with the MyKings malware.