MyKings botnet still active and making massive amounts of money

MyKings botnet (aka Smominru or DarkCloud) is still actively spreading and making huge amounts of money in crypto, five years after it first appeared in the wild.

As one of the most analyzed botnets in recent history, MyKings is of particular interest to researchers thanks to its vast infrastructure and versatile features, including bootkits, miners, droppers, clipboard thieves, and more.

The latest research team to study MyKings is Avast Threat Labs, which has collected 6,700 unique samples for analysis since the beginning of 2020.

During the same period, Avast actively prevented over 144,000 attacks on MyKings against its customers, most of them based in Russia, India and Pakistan.

Sacrifice heat cards
Sacrifice heat cards
Source: Avast

Botnets use many cryptocurrency wallet addresses where the balance in some of them is quite high. Avast believes that the cryptocurrencies of these wallets were assembled by the clipboard stealer and the cryptocurrency miners.

Earnings reflected in the wallet addresses associated with MyKings are approximately $ 24.7 million. However, since the botnet uses more than 20 cryptocurrencies in total, this amount is only part of its total financial gains.

Earnings related to three cryptocurrencies
Earnings related to three cryptocurrencies
Source: Avast

To protect the hard-coded wallet address value from extraction and analysis, malware encrypts it with a simple ROT cipher. In general, however, no notable upgrades have been seen on that front in recent trials.

New URL Substitution Tricks

Aside from the wallet-changing address diversion, Avast has also seen a new revenue-generating technology used by MyKings operators involving the Steam gaming platform.

Victims of Steam users complaining about the trade link changes
Victims of Steam users complaining about the changes in the trade connection
Source: Avast

The latest versions of malware also include a new URL manipulation system in the Clipboard Stealer module that attackers created to hijack Steam merchandise transactions. The module changes the trade offer URL so that the actor is placed at the receiving end and steals valuable items in the game, etc.

Similar functionality was added to the Yandex disk storage service, where MyKing manipulated the URLs sent by users to their acquaintances.

The modified links point to Yandex storage addresses that contain RAR or ZIP files named “photos”, which provide a copy of MyKings malware to these machines.

Fake 'photos' archive that provides malware
Fake ‘photos’ archive that provides malware
Source: Avast

In 2018, MyKings grew steadily, with malware reaching 520,000 infections and earning millions of dollars for its operators.

Today, it seems that the botnet has grown to new proportions, while still managing to remain hidden and free of law enforcement.

Leave a Comment