MyKings, a long-running botnet, is still active and has generated at least $24.7 million by using its network of compromised computers to mine for cryptocurrencies.
It is also known as Smominru and Hexen and is the world's largest botnet focused on mining cryptocurrencies by exploiting the CPUs of its victims' desktop and server computers. It's a profitable business that grabbed notoriety in 2017 after infecting more than half a million Windows machines to mine $2.3 million of Monero in a month.
A security firm, Avast has now verified that its operators have received at least $24.7 million in cryptocurrencies, which have been transferred to Bitcoin, Ethereum, and Dogecoin accounts.
It states, however, that the majority of this was accomplished by the group's 'clipboard stealer module.' When it detects that a cryptocurrency wallet address has been duplicated (for example, to make a payment), this module replaces it with a new cryptocurrency address authorized by the group.
Since the beginning of 2020, Avast claims to have blocked the MyKings clipboard stealer from 144,000 computers: the clipboard stealer module has emerged in 2018.
According to the study of the security firm Sophos, the clipboard stealer, a trojan, monitors PCs for the usage of various currency wallet formats. It operates because users frequently utilise the copy/paste option to enter rather lengthy wallet IDs when logging into an account.
Sophos noted in a report, "This method relies on the practice that most (if not all) people don't type in the long wallet IDs rather store it somewhere and use the clipboard to copy it when they need it. Thus, when they would initiate a payment to a wallet, and copy the address to the clipboard, the Trojan quickly replaces it with the criminals' own wallet, and the payment is diverted to their account."
Sophos did mention, however, that the coin addresses it discovered "hadn't received more than a few dollars," implying that coin theft was a tiny component of the MyKings operation. Sophos estimates that the crypto-mining part of the company generated around $10,000 per month in October 2019.
Avast now claims that MyKings is generating significantly more money from the clipboard trojan after extending the 49 coin addresses uncovered in Sophos' investigation to over 1,300 coin addresses.
According to Avast, the clipboard stealer's involvement may be far greater than Sophos uncovered. Avast researchers explain in a report, "This malware count on the fact that users do not expect to paste values different from the one that they copied. It is easy to notice when someone forgets to copy and paste something completely different (e.g. a text instead of an account number), but it takes special attention to notice the change of a long string of random numbers and letters to a very similar looking string, such as crypto wallet addresses.”
"This process of swapping is done using functions OpenClipboard, EmptyClipboard, SetClipboardData and CloseClipboard. Even though this functionality is quite simple, it is concerning that attackers could have gained over $24,700,000 using such a simple method."
Remarks from users on Etherscan who claimed to have mistakenly sent amounts to accounts covered in Avast's study provide circumstantial evidence to support the idea that the clipboard stealer is certainly effective.
Avast recommended that people should always double-check transaction details before sending money.
