Mylobot Malware Brings New Sophistication to Botnets

[tao]

The malware pulls together a variety of techniques to gain a foothold and remain undiscovered.

 

Cybercriminals looking to maximize their investments are using evermore sophisticated software techniques and increasingly aggressive steps against their fellow malware authors. Those are among the conclusions by researchers at Deep Instinct about a new strain of malware found within the last two months.

 

The new malware, dubbed Mylobot, pulls together a variety of techniques to gain a foothold and remain undiscovered. Among the strategies employed are:

• Anti-VM techniques
• Anti-sandbox techniques
• Anti-debugging techniques
• Wrapping internal parts with an encrypted resource file
• Code injection
• Process hollowing (a technique where an attacker creates a new process in a suspended state and replaces its image with the one that is to be hidden)
• Reflective EXE (executing EXE files directly from memory, without having them on disk) 
• A 14-day delay before accessing its C&C servers. 

"On a daily basis we come across dozens of highly sophisticated samples, but this one is a unique collection of highly advanced techniques," says Arik Solomon, vice president of R&D at Deep Instinct. "Each of the techniques is known and used by a few malicious samples, but the combination is unique."

 

Solomon noted that Mylobot — named for a researcher's dog — is a downloader: It can be purposed to download and install any type of payload, from spambot or DDoS engine to keylogger or banking Trojan. "I think that what we see here is the productization or even industrialization of malware techniques," says Tom Nipravsky, security researcher at Deep Instinct.

 

That industrialization aspect fits with what Solomon sees as the driving force behind this new malware. "It always comes down to money," he says. And that's especially true given one of Mylobot's behaviors: It seeks out and shuts down competing botnet software.

 

"We see the capability to make sure you have no competition," Solomon says, noting that in the highly unregulated world of malware, having more infected systems at your disposal than the competition can offer might be a matter of millions of dollars.

 

Mylobot leverages several techniques to make sure no other botnet is active on a machine it infects. "Usually we see this behavior when malware tries to shut down defensive software," Solomon notes. "In this case, it's fighting against its competition."

 

Though the researchers have been looking at Mylobot for several weeks, they aren't yet ready to say who the author is. There are some clues, though, including the fact that Mylobot scans for keyboard layout of an infected machine and doesn't execute if it finds an Asian character set and layout in use. Nipravsky says this could have to do with encryption algorithms, but it might well speak to the geographical nexus of the malware.

 

The researchers say it's important to note that Mylobot was found in the wild, at a Tier 1 data communication and telecommunication equipment manufacturer, not in a proof-of-concept demonstration.

 

"It's a relatively good representative of what we see on the Dark Web where people are selling platforms for others to use," Solomon says. Customers of the botnet can rent time to download and run their own payloads, making this a very efficient use of malware technology.

 

One thing the researchers are confident about is the sophistication of the malware's authors. "This presents itself as a product that we all could be envious of," Nipravsky says. "The integration, how it operates, how it was developed by different teams around the world, the different layers all combine to create a single malicious product."

 

< Here >

[tao]

 

Mylobot Malware A Highly Sophisticated Botnet

 

While the Zacinlo malware has already threatened Windows users, here comes one more threat. Researchers have discovered another Windows malware that can turn a Windows PC into a hackers’ paradise. This newly discovered Mylobot malware is actually a ‘highly sophisticated botnet’ that allows hackers to take complete control of the victim’s device.

Mylobot Malware Can Turn Your PC Into A ‘Botnet’

Tom Nipravsky, a security researcher at Deep Instinct, uncovered another malware that could turn a Windows PC into a botnet. The researcher has named it ‘Mylobot’, and claims it is something ‘never seen before’.

 

According to the researcher, Mylobot malware has originated from the ‘Dark Web’. He concluded this after tracing its server that was also used by other malware from the dark web. This robust botnet incorporates a number of malicious techniques. These include anti-debugging, anti-VM, anti-sandbox, using encrypted file resources to wrap internal parts, code injection, direct execution of EXE files from memory (Reflective EXE) without having them on disk, and process-hollowing.

 

Moreover, as a botnet, it can also deliver additional payloads such as DDoS attacks, delivering banking Trojans, and keylogging.

 

In addition to all malicious techniques, Mylobot malware also exhibits a 14-day ‘hibernation’ after entering into a system so as to help it become embedded within the system. This delay in connecting with attackers C&C servers enables the malware to avoid detection.

Mylobot Also Bashes Other Botnets Alongside Damaging Other Files

The malware’s first step after entering into a system remains to shut down the system’s security. This includes shutting down Windows Updates and Windows Defender and blocking additional Firewall ports. Later on, scans for other EXE files in the AppData folder. This can also result in a loss of data. Nonetheless, the extent of damage depends on the intention of the hacker and the subsequent payload.

“The main functionality of the botnet enables an attacker to take complete control of the user’s system – it behaves as a gate to download additional payloads from the command and control servers. The expected damage here depends on the payload the attacker decides to distribute. It can vary from downloading and executing ransomware and banking trojans, among others.”

According to the researcher, Mylobot also bears an anti-botnet property.

“Part of this malware process is terminating and deleting instances of other malware. It checks for known folders that malware “lives” in (“Application Data” folder), and if a certain file is running – it immediately terminates it and deletes its file. It even aims for specific folders of other botnets such as DorkBot.”

The reason behind this behavior, according to the researcher, maybe to win over the “competition” on the dark web. As he says in his blog,

“We estimate this rare and unique behavior is because of money purposes within the Dark web. Attackers compete against each other to have as many “zombie computers” as possible in order to increase their value when proposing services to other attackers, especially when it comes to spreading infrastructures. The more computers – the more money an attacker can make.”

According to ZDNet, the actual author(s) of this malware are yet unknown. However, the malware uses the same server which is linked to the infamous Locky ransomware, Ramdo, and DorkBot.

 

< Here >