This malware botnet gang has stolen millions with a surprisingly simple trick

0
134

Liam Tung

By

Liam Tung

| October 15, 2021

| Topic: Security

This is what happens when you’re hit by a ransomware attack

Watch Now

The long-running botnet known as MyKings is still in business and has raked in at least $24.7 million by using its network of compromised computers to mine for cryptocurrencies. 

MyKings, also known as Smominru and Hexmen, is the world’s largest botnet dedicated to mining cryptocurrencies by free-riding off its victims desktop and server CPUs. It’s a lucrative business that gained attention in 2017 after infecting more than half a million Windows computers to mine about $2.3 million of Monero in a month. 

Security firm Avast has now confirmed its operators have acquired at least $24.7 million in various cryptocurrencies that have been transferred to Bitcoin, Ethereum and Dogecoin accounts. 

SEE: This new ransomware encrypts your data and makes some nasty threats, too

It contends, however, that the group made most of this through its ‘clipboard stealer module’. When it detects that someone has copied a cryptocurrency wallet address (for example to make a payment) this module then swaps in a different cryptocurrency address controlled by the gang. 

Avast claims to have blocked the MyKings clipboard stealer from 144,000 computers since the beginning of 2020: the clipboard stealer module has existed since 2018. 

Security firm Sophos’s research found that the clipboard stealer, a trojan, monitors PCs for the use of various coin wallet formats. It works because people often use the copy/paste function to insert relatively long wallet IDs when accessing an account. 

“This method relies on the practice that most (if not all) people don’t type in the long wallet IDs rather store it somewhere and use the clipboard to copy it when they need it,” Sophos notes in a report. 

“Thus, when they would initiate a payment to a wallet, and copy the address to the clipboard, the Trojan quickly replaces it with the criminals’ own wallet, and the payment is diverted to their account.”

However, Sophos also noted that the coin addresses it identified “hadn’t received more than a few dollars”, suggesting coin stealing was a minor part of the MyKings business. 

The crypto-mining side of the business was doing well in 2019, with Sophos estimating it made about $10,000 a month in October 2019.    

Related Topics:

Security TV

Data Management

CXO

Data Centers

Liam Tung

By

Liam Tung

| October 15, 2021

| Topic: Security