MyKings botnet steals cryptocurrency via clipboard

The MyKings botnet (aka Smominru and DarkCloud) is still active and steals cryptocurrency, while its operators “earn” huge sums. According to Avast research, cybercriminals’ wallets hold at least $ 24 million in Bitcoin, Ethereum, and Dogecoin.

It is not known if all the funds were stolen from MyKings, but at least some of this amount was definitely obtained using this botnet.

MyKings is one of the most analyzed botnets in recent years, and it is especially interesting for researchers due to its extensive infrastructure and numerous features, including bootkits, miners, droppers, clipboard data stealing solutions and much more.

Analysts at Avast Threat Labs say they have collected over 6,700 unique MyKings samples for analysis (since the beginning of 2020). During the same period, Avast products protected more than 144,000 notendur frá þessum spilliforritum, og flestar árásirnar áttu sér stað í Rússlandi, Indlandi og Pakistan.

Hvernig MyKings virkar er mjög einfalt: eftir uppsetningu, spilliforritið heldur utan um það sem fórnarlambið er að afrita á klemmuspjaldið. Eftir að hafa fundið heimilisfang dulritunargjaldmiðils veskis notandans í biðminni, spilliforritið kemur í staðinn fyrir heimilisfang veskis rekstraraðila þess. Eftir það, þegar fórnarlambið setur inn úr biðminni (eins og hann heldur) rétt heimilisfang dulritunarvesksins hans, hann er í raun að setja inn heimilisfang glæpamannanna’ veski. Þannig, dulritunargjaldmiðillinn er sendur í vasa árásarmannanna.

Botnetið notar mörg dulmálsveski, some of which are quite high in value. Avast reports that the cryptocurrency in these wallets was collected mainly by spoofing addresses in the clipboard, as well as mining.

Let me remind you that I also told that BloodyStealer spilliforrit rænir Steam, Epic Games Store og EA Origin reikningar.