Avast Lab cybersecurity researchers have released a report on MyKings Botnet that is still active in the wild and spreading its infrastructure worldwide. The botnet was first seen in 2016; since then, it has gained multiple names from analysts all over, such as MyKings, Smominru, and DarkCloud. Its framework consists of bootkits, coin miners, droppers, clipboard stealers, and many more. Experts have reported that the operators of MyKings have now racked up to $24 million in Bitcoin, Ethereum, and Dogecoin crypto wallets.

At the beginning of 2020, over 144,000 users were threatened by the clipboard stealer module, which mainly targeted Russia, India, Pakistan.

###Clipboard Stealer

The clipboard stealer module mainly relies on the practice that most people do not type in their long wallet IDs; instead, they store it someplace else and use the clipboard to copy it at the time of need. Now, at the time of payment, the Trojan would just replace the legitimate wallet ID with their own, and the payment is now diverted there.

###Monetary Gains

After investigating the extended list of 1300 coin addresses, experts confirmed that more than $24,700,000 (at least) worth in cryptocurrencies was transferred.

###Analysis

The main goal is that users do not notice the different wallet IDs when they copy and paste from their clipboard. Although the process seems relatively simple, it has amassed over $24 million altogether. The process of swapping wallet IDs is done using functions OpenClipboard, EmptyClipboard, SetClipboardData, and CloseClipboard.

###New techniques

MyKings operators have now found a new monetization technique that involves the steam gaming platform through URL manipulation. Threat actors create URLs to hijack steam item trade transactions and place them at the receiving end.

Comments from steam community

Regular expressions hardcoded in samples: https://steamcommunit(?!.id|.id)(([a-zA-Z0-9.-]+.[a-zA-Z]{2,4})|([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}))(/[a-zA-Z0-9%:/-_?.',27h,'~&])?*

Exchanged link: https://steamcommunity[.]com/tradeoffer/new/?partner=121845838&token=advSgAXy**

The botnet has now grown to large infrastructures and seems to be evolving for other platforms too. It is highly advised that people double-check the details of their transactions before sending money and raise awareness.