It would be trivial to capture keystrokes in the browser, or intercept traffic destined for certain sites of interest (like PayPal, for example). But even if you insist on scoffing at such possibilities, one of the effects of some variants of this malware is causing redirects to phishing sites. Are you saying that phishing is not a realistic way for hackers to make money? I'd have to disagree with that.
In any case, your entire argument boils down to a "burden of proof" logical fallacy. You make claims that this malware isn't dangerous, and then require others to prove to you that it is. You are the one making extraordinary claims - that hackers would bother to create, distribute and update malware over many months, risking lengthy prison sentences, with no financial gain - thus the burden of proof is on you, not me.