A malware botnet has made more than $24.7 million since 2019

The operators of a malware botnet known as MyKings are believed to have made more than $24.7 million through what security researchers call a "clipboard hijacker."

First spotted in 2016, the MyKings botnet has been one of the most sprawling malware operations in recent years.

Also known as the Smominru or the DarkCloud botnet, this gang operates by scanning the internet for internet-exposed Windows or Linux systems that run outdated software.

Using exploits for unpatched vulnerabilities, the MyKings gang infects these servers and then moves to move laterally inside their networks.

Reports published across the years by GuardicoreProofpointQihoo 360, VMWare's Carbon Black, and Sophos have described MyKings as one of the largest malware botnets that has been created over the past decade, with the number of infected systems sometimes easily going over more than 500,000 hacked systems.

In its first years, the botnet was primarily known for deploying a hidden Monero cryptocurrency miner on infected hosts in order to generate profits for the botnet's operators.

A January 2018 report by security firm Proofpoint estimated the group's profits at the time at around $3.6 million, based on Monero funds they found in some wallets they linked to the group.

But across the years, the MyKings group's operations and malware evolved. From a simply hack-and-mine operation, the botnet became a Swiss army knife of badness, with all sorts of modules for moving across internal networks, spreading like a worm, and carrying out various attacks.

Rise of the MyKings clipboard hijacker

In 2019, Sophos said that one of the new modules it spotted was a "clipboard hijacker" that worked by watching an infected computer's clipboard for when users copied (CTRL+C) or cut (CTRL+X) a text string that looked like a cryptocurrency address.

When the user pasted the string, Sophos said the MyKings clipboard hijacker tampered with the paste operation and replaced the user's address with one controlled by the MyKings gang.

Back in 2019, Sophos said the module wasn't that successful or widely used, "never received more than a few dollars," and that stealing cryptocurrency by hijacking the clipboard didn't look like "the most profitable operation of MyKings."

But in a report published this week, security firm Avast said that since 2019, MyKings appears to have perfected this module, which now can detect addresses for 20 different cryptocurrencies.

Avast researchers said they analyzed more than 6,700 samples of the MyKings malware and identified and extracted more than 1,300 cryptocurrency addresses used by the gang to collect funds.

In these addresses, researchers said they found more than $24.7 million in Bitcoin, Ether, and Dogecoin.

CryptocurrencyEarnings in USDEarnings in cryptocurrency
Bitcoin6,626,146.252 [$]132.212 [BTC]
Ethereum7,429,429.508 [$]2,158.402 [ETH]
Dogecoin10,652,144.070 [$]44,618,283.601 [DOGE]

"We can safely assume that this number is in reality higher, because the amount consists of money gained in only three cryptocurrencies from more than 20 in total used in malware," said Avast malware analysts Jan Rubín and Jakub Kaloč.

Some funds were linked to MyKings' past cryptocurrency mining activity, but the vast majority appears to come from the clipboard hijacker, the two said.

Avast said that since the beginning of 2020, its antivirus software detected and flagged MyKings malware attacks on more than 144,000 computers, but the number of systems attacks is likely much larger.

The new findings published this week completely change how malware analysts are now looking at this botnet. With the ability to carry out large-scale exploitation attacks, a way to profit from their operations, a large number of infected hosts, and the ability to download and run any additional payload the MyKings operators wish, the botnet has established itself as one of the most dangerous malware operations today.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.