Mylobot Malware A Highly Sophisticated Botnet

While the Zacinlo malware has already threatened Windows users, here comes one more threat. Researchers have discovered another Windows malware that can turn a Windows PC into a hackers’ paradise. This newly discovered Mylobot malware is actually a ‘highly sophisticated botnet’ that allows hackers to take complete control of the victim’s device.

Mylobot Malware Can Turn Your PC Into A ‘Botnet’

Tom Nipravsky, a security researcher at Deep Instinct, uncovered another malware that could turn a Windows PC into a botnet. The researcher has named it ‘Mylobot’, and claims it is something ‘never seen before’.

According to the researcher, Mylobot malware has originated from the ‘Dark Web’. He concluded this after tracing its server that was also used by other malware from the dark web. This robust botnet incorporates a number of malicious techniques. These include anti-debugging, anti-VM, anti-sandbox, using encrypted file resources to wrap internal parts, code injection, direct execution of EXE files from memory (Reflective EXE) without having them on disk, and process-hollowing.

Moreover, as a botnet, it can also deliver additional payloads such as DDoS attacks, delivering banking Trojans, and keylogging.

In addition to all malicious techniques, Mylobot malware also exhibits a 14-day ‘hibernation’ after entering into a system so as to help it become embedded within the system. This delay in connecting with attackers C&C servers enables the malware to avoid detection.

Mylobot Also Bashes Other Botnets Alongside Damaging Other Files

The malware’s first step after entering into a system remains to shut down the system’s security. This includes shutting down Windows Updates and Windows Defender and blocking additional Firewall ports. Later on, scans for other EXE files in the AppData folder. This can also result in a loss of data. Nonetheless, the extent of damage depends on the intention of the hacker and the subsequent payload.

“The main functionality of the botnet enables an attacker to take complete control of the user’s system – it behaves as a gate to download additional payloads from the command and control servers. The expected damage here depends on the payload the attacker decides to distribute. It can vary from downloading and executing ransomware and banking trojans, among others.”

According to the researcher, Mylobot also bears an anti-botnet property.

“Part of this malware process is terminating and deleting instances of other malware. It checks for known folders that malware “lives” in (“Application Data” folder), and if a certain file is running – it immediately terminates it and deletes its file. It even aims for specific folders of other botnets such as DorkBot.”

The reason behind this behavior, according to the researcher, maybe to win over the “competition” on the dark web. As he says in his blog,

“We estimate this rare and unique behavior is because of money purposes within the Dark web. Attackers compete against each other to have as many “zombie computers” as possible in order to increase their value when proposing services to other attackers, especially when it comes to spreading infrastructures. The more computers – the more money an attacker can make.”

According to ZDNet, the actual author(s) of this malware are yet unknown. However, the malware uses the same server which is linked to the infamous Locky ransomware, Ramdo, and DorkBot.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil