MyKings Crypto Malware | Avast

There’s a lot of money in cryptocurrency these days. In addition to hobby traders, cryptocurrency has attracted the attention of legitimate investors and speculators. It’s also attracted the attention of cyber criminals, who use it for ransomware payments.

And there’s another, old fashioned way cyber criminals are interested in cryptocurrency: to steal it.

DevOps Experience

There are many ways to steal cryptocurrency. One way is to use coinminer malware on victims’ machines to hijack computing resources in order to generate cryptocurrency directly for the criminals. We saw this with our  recent research into Crackonosh, where the malware authors loaded their coinmining malware into cracked versions of popular games. This was enough to earn the people behind Crackonosh over $2 million USD Monero from over 222,000 infected systems worldwide since June 2018.

Further reading:
Crackonosh: A new malware distributed in cracked software
Phishing scams are taking advantage of crypto hype

Another way is to attack the crypto equivalent of people’s bank accounts at the banks. We saw this when attackers went after customer accounts at Coinbase, one of the most popular cryptocurrency exchanges out there. In this case, the attackers went after Coinbase customers’ accounts, gained access to them, and then sent those customers’ funds to accounts under their control.

And, finally, another way attackers can steal your cryptocurrency is to attack your system directly with malware to steal those funds. What may be most surprising, though, is that attackers can do this by having their malware abuse a much-used feature in computers: copy and paste. It turns out that this simple trick can yield malware authors a lot of cryptocurrency.

In new research, Jakub Kaloč and Jan Rubín with the Avast Threat Labs team has found that MyKings – a botnet that’s been around since at least 2016 – uses a simple trick of hijacking the copy and paste function on infected machines to redirect cryptocurrency payments to the attackers’ wallets. Our research shows the attacker’s wallets show at least $24 million USD (and likely more) in Bitcoin, Ethereum, and Dogecoin. We can’t say that’s all stolen from…