Windows Malware Mylobot Adds Your PC to a Botnet

With more and more people coming online for the first time, cybercriminals looking to maximize their investments are using evermore sophisticated methods and malware to target new users. Recent reports point to a new malware which is complex enough to have evaded cybersecurity experts and enter the wild.

Dubbed Mylobot, the new malware was discovered by researchers at Deep Instinct ropes in target systems into a botnet and providing the attackers with complete control over infected victims, plus the ability to deliver additional payloads, putting the victims’ devices at risk of Trojans, keyloggers, launch large-scale DDoS attacks and other malicious schemes.

The Mylobot malware uses a variety of techniques to gain a foothold and remain undiscovered. Collectively, the malware uses the following strategies:

• Anti-VM techniques
• Anti-sandbox techniques
• Anti-debugging techniques
• Wrapping internal parts with an encrypted resource file
• Code injection
• Process hollowing (a technique where an attacker creates a new process in a suspended state and replaces its image with the one that is to be hidden)
• Reflective EXE (executing EXE files directly from memory, without having them on disk)
• A 14-day delay before accessing its C&C servers.

“The reason to do 14 days of sleep is to avoid any network and malicious activity, thus bypassing cyber security solutions like endpoint detection and response, threat hunting and sandboxing,” Tom Nipravsky, Deep Instinct security researcher.

Once installed on a system Mylobot shuts down Windows Defender and Windows Update, while also blocking additional ports on the firewall – all tactics to ensure that its malicious activity can operate without being impeded.

Additionally, it actively targets and deletes any other instances of malware which have previously been installed on the machine, even specifically aiming for other botnets. This allows it to eliminate “competition” of all kinds, and ensure that the now-infected system is a part of a single botnet only. Once a computer is part of the botnet, the attacker can take complete control of the system and further payloads and instructions can be delivered from the command and control server.

“The expected damage here depends on the payload the attacker decides to distribute. It can vary from downloading and executing ransomware and banking trojans, among others. This can result in loss of tremendous amount of data, the need to shut down computers for recovery purposes, which can lead to disasters in the enterprise.”

The malware isn’t widespread and it still remains unclear who the attacker behind Mylobot is, how the malware is delivered or even what their ultimate goal is. However, one thing that the researchers have concluded from the complexity of the scheme is that it isn’t the work of amateur cybercriminals looking to have some fun.