Summary

MyKings botnet, which is also called Smominru, and DarkCloud, first appeared in 2016 and its report that its been active since then. The new research from Avast Threat Labs shows that “since 2019, the operators behind MyKings have amassed at least $24 million USD (and likely more) in the Bitcoin, Ethereum, and Dogecoin cryptowallets associated with MyKings”

My king is famous of earning massive amounts of money in crypto what interest researcher is that “Its vast infrastructure consists of multiple parts and modules, including bootkit, coin miners, droppers, clipboard stealers, and more.”

Target Countries

Avast Threat Labs team gathered 6700 unique samples from 2020 to conduct their research. They were able to protect around 144,000 mainly around Russia, India, and Pakistan.

The report states the amount the attackers gain through Bitcoin, Ethereum, and Dogecoin accounts is confirmed to be more than $24,700,000 worth in cryptocurrencies.  They also believe that some of the money was gained by crypto mining and clipboard stealer as similar cryptocurrency wallet addresses was seen to be used.

The malware use encryption to hide the crypto wallets addresses “For protection against quick analysis and against static extraction with regular expressions, the substitute values are encrypted. Encryption used is a very simple ROT cipher, where the key is set to -1.”

Avast also were able to identify a new monetization technique via Steam trade frauds.

“This kind of expression is supposed to match Steam trade offer links. Users on the Steam platform can create trade offers to trade what are usually in-game items from their inventory with other users. The value of the items that can be traded starts at only a few cents, but the most expensive items are being sold for hundreds or thousands of dollars. The clipboard stealer manipulates the trade offer URL and changes the receiving side, so Steam users send their items to someone completely unknown”

Also, the use of Fake Yandex Disk links was seen. This link contains RAR or ZIP archives, which is point to Yandex storage addresses. When the victims download files and open the link MyKings malware gets into these machines.

References

Find the report published by Avast and Sophos.

• https://news.sophos.com/wp-content/uploads/2019/12/mykings_report_final.pdf
• https://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/