Mylobot Malware Targets Your Windows PC For DDoS, Trojan And Keylogger Attacks
Malware is a huge problem for computer users today as the threat posed by malicious software continues to increase. A new botnet was recently detected in a live environment for an unnamed client of Deep Instinct, a security firm.
The security firm says that the botnet, dubbed Mylobot, uses three different layers of evasion techniques. The evasion techniques that the botnet uses contact command and control servers that download the final payload, Deep Instinct says that the combination and complexity of the evasion techniques that the botnet deploys have never been seen in the wild before.
Mylobot also uses several malicious techniques including anti-VM, anti-sandbox, anti-debugging, wrapping internal parts with an encrypted resource file, code injection, process hollowing, Reflective EXE, and has a 14-day delay mechanism before it contacts the command and control servers. Process hollowing is a technique that allows the attacker to create new processes in a suspended state and replace its image with the one that is to be hidden.
Reflexive EXE allows the executing of EXE files directly from memory without having to put them on the disk. This technique, in particular, is why the botnet is so hard to trace. One of the things Mylobot does is to terminate and delete instances of other malware on infected machines. It searches for specific folders that other botnets use and deletes them. Deep Instinct believes Mylobot deletes other malware to infect more computers and make more money for the person or persons operating the botnet.
Mylobot shuts down Windows Defender and Windows Update when installed and blocks additional ports on the Firewall. It also shuts down and deletes any EXE file running from %APPDATA% folder. That action can cause a loss of data. The main function of the botnet is to take complete control of the user's computer and damage to the computer depends on the payload the attackers decide to distribute.
Payloads can include ransomware and banking trojans among others. Ransomware is a common payload and has been distributed by botnets before. A full examination of the Mylobot botnet is ongoing and a research paper will be published by Deep Instinct in the future covering the botnet end-to-end.