MyKings botnet makes millions in crypto by exploiting the easy shortcut

The malware has run mining cryptocurrency for five years and still is in business

Attackers have gained at least $24 million using simple methods of swapping the copied wallet addresses.

The botnet known by MyKings, Smominru or Hexmen, is the largest botnet particularly dedicated to cryptocurrency mining.^[1] The threat rides off users' desktop and server CPU creating digital funds.^[2] It is counted that since the release^[3] this infection made $24.7 million. It is confirmed that such operations cade millions in various cryptocurrencies and funds have been transferred to separate Bitcoin, Ethereum, Dogecoin accounts.

This is the popular way to make money without directly involving victims and malicious aspects of distribution or blackmail tactics. However, researchers^[4] indicate that the group mostly used the clipboard stealer function. The module detects when the user has copied a cryptocurrency wallet address.

Once that is detected, the code is designed to change the address to the one controlled by the hacker group, so the payment that is later made goes to criminals. Unfortunately, it is common that people do not think to double-check such information, and long strings get swapped, so criminals make a profit.

This malware counts on the fact that users do not expect to paste values different from the one that they copied. It is easy to notice when someone forgets to copy and paste something completely different (e.g. a text instead of an account number), but it takes special attention to notice the change of a long string of random numbers and letters to a very similar looking string, such as cryptowallet addresses.

Versatile malware – the most analyzed botnet in the recent history

MyKings virus is investigating by various security and malware researchers because it has various features of a botnet, miner, dropper, clipboard stealer, and more. There are thousands of samples of the threat, so the analysis that have begun back in 2020 can be very deep and thorough.

This malicious piece can run silently without causing any damage to the machine, so people not only are left not knowing that the machine is affected by the threat but also loses funds without even suspecting who can be responsible. because the threat is not displaying any symptoms, the removal of such miners or botnets can be difficult.^[5]

People tend to copy-paste such long wallet IDs and different long strings, so malware successfully runs and makes millions to this day. Thanks to such interest in the botnet, Avast managed to prevent 144 000 attacks of the botnet when the malware targeted their clients. Due to this blocking, it can be revealed that the main targets of the malware reside in Russia, India, Pakistan.

Gaming platforms and cryptocurrency are the main targets for malware

MyKings botnet also appears to be using the URL substitution tricks besides the walled address swapping. This module involves the popular gaming platform Steam. Researchers note in the report that it was spotted for the latest malware version to manipulates URLs. The technique is created to hijack Steam item trade transactions because the module changes the trade offer URL and places the receiving end to their site, so the game items with great value can get stolen.

Also, this URL manipulating module was added for the Yandex could disk storage service. Those storage addresses containing RAR or ZIP archives with names “photos” get detected, and a copy of the MyKings malware gets delivered to those machines where links point to. The botnet technology seems to grow and get advanced changes, modules, so this is the dangerous malware that can remain hidden from users and law enforcement while making fortune for developers.