This malware botnet gang has stolen millions with a surprisingly simple trick
The long-running botnet known as MyKings is still in business and has raked in at least $24.7 million by using its network of compromised computers to mine for cryptocurrencies.
MyKings, also known as Smominru and Hexmen, is the world’s largest botnet dedicated to mining cryptocurrencies by free-riding off its victims desktop and server CPUs. It’s a lucrative business that gained attention in 2017 after infecting more than half a million Windows computers to mine about $2.3 million of Monero in a month.
Security firm Avast has now confirmed its operators have acquired at least $24.7 million in various cryptocurrencies that have been transferred to Bitcoin, Ethereum and Dogecoin accounts.
It contends, however, that the group made most of this through its ‘clipboard stealer module’. When it detects that someone has copied a cryptocurrency wallet address (for example to make a payment) this module then swaps in a different cryptocurrency address controlled by the gang.
Avast claims to have blocked the MyKings clipboard stealer from 144,000 computers since the beginning of 2020: the clipboard stealer module has existed since 2018.
Security firm Sophos’s research found that the clipboard stealer, a trojan, monitors PCs for the use of various coin wallet formats. It works because people often use the copy/paste function to insert relatively long wallet IDs when accessing an account.
“This method relies on the practice that most (if not all) people don’t type in the long wallet IDs rather store it somewhere and use the clipboard to copy it when they need it,” Sophos notes in a report.
“Thus, when they would initiate a payment to a wallet, and copy the address to the clipboard, the Trojan quickly replaces it with the criminals’ own wallet, and the payment is diverted to their account.”
However, Sophos also noted that the coin addresses it identified “hadn’t received more than a few dollars”, suggesting coin stealing was a minor part of the MyKings business.
The crypto-mining side of the business was doing well in 2019, with Sophos estimating it made about $10,000 a month in October 2019.
Avast now argues that that MyKings is making a lot more money from the clipboard trojan after expanding on the 49 coin addresses identified in Sophos’ research to more than 1,300 coin addresses. Avast suggests the role of the clipboard stealer might be much larger than Sophos discovered.
“This malware counts on the fact that users do not expect to paste values different from the one that they copied,” Avast researchers explain in a report.
“It is easy to notice when someone forgets to copy and paste something completely different (e.g. a text instead of an account number), but it takes special attention to notice the change of a long string of random numbers and letters to a very similar looking string, such as cryptowallet addresses.
“This process of swapping is done using functions OpenClipboard, EmptyClipboard, SetClipboardData and CloseClipboard. Even though this functionality is quite simple, it is concerning that attackers could have gained over $24,700,000 using such a simple method.”
Some circumstantial evidence to back the theory that the clipboard stealer is actually effective include comments from people on Etherscan who claimed to have accidentally transferred sums to accounts included in Avast’s research.
“We highly recommend people always double-check transaction details before sending money,” Avast notes.