A new malware campaign is roping systems into a botnet and providing the attackers with complete control over infected victims, plus the ability to deliver additional payloads, putting the victims’ devices at risk of Trojans, keyloggers, DDoS attacks and other malicious schemes.
The malware comes equipped with three different layers of evasion techniques which have been described by the researchers at Deep Instinct who uncovered the malware as complex, rare and “never seen in the wild before”.
Dubbed Mylobot after a researcher’s pet dog, the origins of the malware and its delivery method are currently unknown, but it appears to have a connection to Locky ransomware — one of the most prolific forms of malware during last year.
The sophisticated nature of the botnet suggests that those behind it aren’t amateurs, with Mylobot incorporating various techniques to avoid detection.
They include anti-sandboxing, anti-debugging, encrypted files and reflective EXE, which is the ability to execute EXE files directly from memory without having them on the disk. The technique is not common and was only uncovered in 2016, and makes the malware ever harder to detect and trace.
On top of this, Mylobot incorporates a delaying mechanism which waits for two weeks before making contact with the attacker’s command and control servers — another means of avoiding detection.
Once installed on a system Mylobot shuts down Windows Defender and Windows Update, while also blocking additional ports on the firewall — all tactics to ensure that its malicious activity can operate without being impeded.
In addition to this, it actively targets and deletes any other instances of malware which have previously been installed on the machine, even specifically aiming for other botnets.
The thinking behind this is simple — eliminating the competition in order to ensure the attackers gain control over the largest network of infected computers to make the most profit from abusing the compromised machines as possible.
Once a computer is part of the botnet, the attacker can take complete control of the system and further payloads and instructions can be delivered from the command and control server.
“The expected damage here depends on the payload the attacker decides to distribute. It can vary from downloading and executing ransomware and banking trojans, among others,” said Nipravsky.
“This can result in loss of tremendous amount of data, the need to shut down computers for recovery purposes, which can lead to disasters in the enterprise.”
Researchers haven’t detailed what additional payloads are being downloaded, but analysis of the command and control domains related to Mylobot uncovered connections to Locky ransomware and other malware.
“According to our research, the IP of the C&C server was first seen on November 2015, and is linked to DorkBot, Locky and Ramdo,” Nipravsky said.
With the C&C having been active for two and a half years, it indicates those behind Mylobot have been active for some time — and they use tactics which suggest a well-resourced operation.
“The botnet is trying to connect to 1,404 different domains — at the time of writing this research, only one was alive. This is an indication for big resources in order to register all those domains,” said Nipravsky.
The malware isn’t widespread and it still remains unclear who the attacker behind Mylobot is, how the malware is delivered or even what their ultimate goal is — but one thing researchers have concluded from the complexity of the scheme is that it isn’t an amateur operation.
“We haven’t found any indication about who the author is, but based on the code, this is someone who knows what they’re doing,” said Nipravsky.