A new form of malware was recently discovered by researchers. The new malware is known as Mylobot and is a botnet. Mylobot specifically targets devices running on Windows. Mylobot has a variety of tools to stay undetected and can completely take over an infected device.This new form of malware originating from the dark web was recently discovered and prevented by Deep Instinct.[1] This new malware is known as Mylobot. Mylobot is powered by people on the Dark Web, although as of now the author(s) is unknown.[2] Mylobot’s delivery method and origin is currently unknown but possible connected to Dorkbot and the Locky ransomware.[3] The command-and-control (C2) servers for Mylobot first came online at the beginning of 2016. Fortunately, the Mylobot malware is not widespread.[4] Currently only devices running on Windows are targeted[5]. Mylobot is a highly sophisticated botnet[6] and uses 3 layers of evasion techniques to stay undetected. When Mylobot is installed, it deactivates Windows Defender, Windows Update, blocks additional ports on the firewall, and deletes all EXE files that are running in the %APPDATA% folder.[7] Mylobot uses a variety of malicious tactics such as Anti-VM, Anti-sandbox, Anti-debugging, wrapping internal parts with an encrypted resource file, code injection, process hollowing,[8] reflective EXE, and using a 14-day delay before accessing its C2 servers. These tactics allow Mylobot to get into a system and remain undetected.[9] Mylobot sleeps for 14 days to avoid network and malicious activity. This allows Mylobot to bypass cybersecurity countermeasures such as endpoint detection and response, threat hunting and sandboxing.[10]
Mylobot increases a victim’s vulnerability to banking trojans, keyloggers, and DDoS attacks.[11] Once in a system, Mylobot looks for and eliminates any other malware and specifically targets and eliminates other botnets. Mylobot does this to rid the system of competition and ensure the system is connected to only one botnet. Once a part of the botnet, the attacker can control the device from a command center.[12] The damage that Mylobot causes can result in large amounts of data being lost, computers having to be shut down for recovery purposes, leaking of sensitive data (from an organization), and keyloggers or banking trojans being installed, which results in financial losses.[13]
Mitigation
This new malware poses a considerable threat to all devices running on Windows. Mylobot’s evasion tactics allow it to stay hidden and operate undetected posing a threat to all devices running Windows. Mylobot can cause more and more damage as it expands and infects more devices. There have not yet been any mitigation remedies to prevent Mylobot. Always ensure a multi-layered approach and protection for your systems to prevent, detect and remove threats. Employ data categorization and network segmentation. Set-up an external backup strategy. Practice the 3-2-1 system to minimize or mitigate data loss. The 3-2-1 backup rule is a simple concept with three different points.
- Have THREE copies of your data
- Keep those copies on at least TWO different media
- Store ONE of these copies off-site
For questions or comments regarding this report, please contact the Lab directly by at 603-606-1246, or feedback@wapacklabs.com
[1] https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/
[2] https://www.digitaltrends.com/computing/mylobot-multiple-payloads-all-in-one-botnet/
[3] https://www.zdnet.com/article/this-new-windows-malware-wants-to-add-your-pc-to-a-botnet-or-worse/
[4] https://www.digitaltrends.com/computing/mylobot-multiple-payloads-all-in-one-botnet/
[5] https://www.zdnet.com/article/this-new-windows-malware-wants-to-add-your-pc-to-a-botnet-or-worse/
[6] https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/
[7] https://www.scmagazine.com/mylobot-exhibits-never-before-seen-evasion-techniques/article/774977/
[8] where an attacker creates a new process in a suspended state and replaces its image with the one that is to be hidden
[9] https://www.darkreading.com/vulnerabilities---threats/mylobot-malware-brings-new-sophistication-to-botnets/d/d-id/1332100
[10] https://www.gizbot.com/news/mylobot-malware-connects-user-s-windows-device-a-botnet-making-them-prone-to-attacks-051614.html
[11] https://www.zdnet.com/article/this-new-windows-malware-wants-to-add-your-pc-to-a-botnet-or-worse/
[12] https://www.gizbot.com/news/mylobot-malware-connects-user-s-windows-device-a-botnet-making-them-prone-to-attacks-051614.html
[13] https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/
Comments