MyKings botnet steals cryptocurrency via clipboard

The MyKings botnet (aka Smominru and DarkCloud) is still active and steals cryptocurrency, while its operatorsearnhuge sums. Dựa theo Avast research, cybercriminalswallets hold at least $ 24 million in Bitcoin, Ethereum, and Dogecoin.

It is not known if all the funds were stolen from MyKings, but at least some of this amount was definitely obtained using this botnet.

MyKings is one of the most analyzed botnets in recent years, and it is especially interesting for researchers due to its extensive infrastructure and numerous features, including bootkits, miners, droppers, clipboard data stealing solutions and much more.

Analysts at Avast Threat Labs say they have collected over 6,700 unique MyKings samples for analysis (since the beginning of 2020). During the same period, Avast products protected more than 144,000 users from this malware, and most of the attacks occurred in Russia, India and Pakistan.

Avast statistic

The way MyKings works is very simple: after installation, the malware keeps track of what the victim is copying to the clipboard. Having found the address of the user’s cryptocurrency wallet in the buffer, the malware replaces it with the address of the wallet of its operators. Sau đó, when the victim inserts from the buffer (as he thinks) the correct address of his crypto wallet, he is actually inserting the address of the criminalswallet. Thus, the cryptocurrency is sent to the pockets of the attackers.

This is a simple but very effective trick: hackers rely on users not to notice that a long and complex account number has changed.the Avast experts say.

The botnet uses many cryptocurrency wallets, some of which are quite high in value. Avast reports that the cryptocurrency in these wallets was collected mainly by spoofing addresses in the clipboard, as well as mining.

MyKings

It is also reported that Avast experts have discovered a new monetization method used by MyKings operatorsthrough the Steam gaming platform. Recent versions of malware have a new system for manipulating URLs in the module for stealing data from the clipboard. This system is designed to intercept the URL of Steam trade transactions. The module replaces the address of the trade offer, and therefore the hacker becomes the receiving party in the transaction, who eventually steals the user’s valuable game items.

Let me remind you that I also told that BloodyStealer malware hijacks Steam, Epic Games Store and EA Origin accounts.

Helga Smith

Tôi luôn quan tâm đến khoa học máy tính, đặc biệt là bảo mật dữ liệu và chủ đề, được gọi là ngày nay "khoa học dữ liệu", kể từ khi tôi còn ở tuổi thiếu niên. Trước khi vào nhóm Diệt Virus với vai trò Tổng biên tập, Tôi đã làm việc với tư cách là chuyên gia an ninh mạng tại một số công ty, bao gồm một trong những nhà thầu của Amazon. Một trải nghiệm khác: Tôi đã nhận được đang giảng dạy tại các trường đại học Arden và Reading.

Gửi phản hồi

Website này sử dụng Akismet để hạn chế spam. Tìm hiểu bình luận của bạn được duyệt như thế nào.

Nút quay lại đầu trang