A new “complicated” botnet called MyloBot is on the rise packing the largest arsenal to date, targeting Windows-based PCs to steal data, shutting down networks, and more. Discovered by Deep Instinct, the underlying malware can evade detection, deliver numerous payloads, and even delete other malware discovered on target PCs.
Although Deep Instinct’s report doesn’t say how PCs obtain the malware, it sits quietly on the target PC for 14 days to avoid detection locally and from network-based scanning. After that, MyloBot shuts down Windows Defender and Windows Update, blocks specific ports in the Windows firewall, and shuts down and deletes any running application listed in the “%APPDATA%” folder.
The end result is a PC under complete control by the hacker(s), which then joins a growing network of internet-connected PCs, aka a botnet. MyloBot connects directly to the hacker’s command-and-control servers that download additional payloads depending on the current attack. Thus, MyloBot serves as a botnet-as-a-service gateway designed for any hacker with any kind of attack in exchange for the right price.
“This can result in the loss of a tremendous amount of data, the need to shut down computers for recovery purposes, which can lead to disasters in enterprises,” says Deep Instinct security researcher Nipravsky. “The fact that the botnet behaves as a gate for additional payloads, puts the enterprise in risk for leak of sensitive data as well, following the risk of keyloggers / banking trojans installations.”
To avoid detection, MyloBot uses a method called code injection where hackers can inject malicious code into legitimate Windows processes to cause havoc without being detected. Another method is called process hollowing, a method of launching a Windows process in a suspended state but replacing its data stored in memory with malicious code. MyloBot can even execute code from memory so there’s no evidence of foul play on the PC’s local storage.
Given MyloBot attempts to serve as an all-in-one botnet, it will seek out the competition on target PCs. During the installation process, it scans local folders where malware typically reside, and terminates and deletes any competing malware it finds, giving it full control of the target PC in order to grow its army of “zombie computers.”
Nipravsky says MyloBot is powered by individuals residing on the dark web: A portion of the internet where you should never traverse. That said, this all-in-one botnet that seeks out and eliminates the competition is believed to be fueled by money, as the bigger the MyloBot botnet-as-a-service grows, the more money the hackers will stuff in their pockets.
“The dark web plays a critical part in the spread of malware: Its rather simple accessibility of services and knowledge has made it easy for any attacker to gain much more abilities in minimum effort,” Nipravsky writes.
Currently the malware isn’t widespread, but its command-and-control servers came online sometime around the beginning of 2016 at the very least. The author(s) behind MyloBot is/are unknown for now, but evidence leans toward a well-resourced operation powered by someone who “knows what they’re doing.”
