Posted on October 16, 2021 at 11:23 AM
A recent report has revealed the existence of the MyKings malware that threat actors have used to make over $24.7 million. The malware, which is still operational, uses compromised devices to mine cryptocurrencies.
Threat actors have been gaining unauthorized access to computers to access their computing power and mine cryptocurrencies. While different types of malware are used for this purpose, MyKings remains the largest botnet used to mine cryptocurrencies through compromised desktops and server CPUs.
This malware makes for a lucrative business because the threat actors who use it have racked millions worth of cryptocurrencies. As such, its popularity has increased. The malware came into the limelight in 2017 after it infected over half a million Windows computers and used these devices to mine around $2.3 million worth of Monero in a month. MyKings is also known as Hexmen or Smominru.
Malware used to mine around $24.7 Million worth of Cryptocurrencies
A recent report by Avast security stated that the threat actors behind the malware had mined more than $24.7 million worth of different cryptocurrencies using MyKings. The mined assets have been converted to Bitcoin, Ethereum and Dogecoin.
The report stated that the threat actors made the largest portion of this amount using the ‘clipboard stealer module.’ This module detects when a person has coped a cryptocurrency wallet address on their device’s clipboard. The stealer module later swaps the copied cryptocurrency address with one that the hackers control. Most people copy their wallet addresses when making or receiving payments.
The Avast team stated that it had blocked the MyKings malware from 144,000 devices since the start of 2020. The clipboard stealer module has been in use for around four years, which increases the number of people who may have been hacked using this malware.
Other cybersecurity research firms have also detected the clipboard stealer. According to the Sophos research team, the malware functions like a trojan that monitors computers to use their coin wallet formats.
The malware has become highly popular with threat actors because many people use the copy and paste method when inserting long wallet addresses to access their accounts or send them to another person who wants to send payments.
“This method relies on the practice that most (if not all) people don’t type in the long wallet IDs rather store it somewhere and use the clipboard to copy it when they need it,” Sophos stated. “Thus, when they would initiate a payment to a wallet, and copy the address to the clipboard, the Trojan quickly replaced it with the criminals’ own wallet and the payment is diverted to their account.”
However, the report by Sophos stated that the coin addresses that it linked to the MyKings malware did not receive any significant amount of dollars. This shows that the malware was not focused on stealing coins.
However, the crypto mining aspect of the malware is what seems to be performing well. The malware has been executed for mining activities since 2019, and in October 2019, the Sophos research estimated that the malware was used to make around $10,000 monthly.
MyKings diversifying to Coin Stealing
The Avast tea has now argued that the MyKings malware is not being used to steal coins, unlike before. The report states that the number of coin wallet addresses has increased from the 49 reported in the Sophos research to over 1300 coin addresses. The Avast team has stated that the number of coins stolen using the clipboard stealer code could be bigger than the Sophos research team stated.
Avast researchers also noted that this malware successfully stole coins because users who paste their wallet addresses do not expect them to be different from what they copied.
“It is easy to notice when someone forgets to copy and paste something completely different (e.g. a text instead of an account number), but it takes special attention to notice the change of a long string of random numbers and letters to a very similar looking string, such as crypto wallet addresses,” Avast stated.
The Avast research team stated that such a simple technique had enabled the threat actors to earn more than $24.7 million. “This process of swapping is done using functions OpenClipboard, EmptyClipboard, SetClipboardData and CloseClipboard.”
We highly recommend people always double-check transaction details before sending money,” Avast stated.
Some comments on users on Etherscan have also backed the research by Avast. These users have stated that they have accidentally lost funds by transferring to the wrong wallet addresses. The users stated that some of these funds were transferred to the accounts highlighted in the Avast research.