MyloBot which was initially discovered in 2018 is said to include a variety of sophisticated anti-debugging capabilities and propagation strategies for entangling infected machines in a botnet, as well as removing traces of rival malware. It used a 14-day delay before contacting its command-and-control servers and the ability to run malicious programmes directly from memory to avoid detection and stay under the radar.
- Anti-VM strategies
- Anti-sandboxing tactics
- Anti-debugging strategies
- Internal portions are encased in an encrypted resource file.
- Injection of code
- Process hollowing is a technique in which an attacker establishes a new process in a suspended state, then substitutes the malicious code in that process’s code to go unnoticed. Reflective EXE allows you to run EXE files directly from memory rather than from disc.
Minerva Labs researcher Natalie Zargarov stated, “The second stage executable then creates a new subdirectory under C:ProgramData.” “It looks for svchost.exe in a system directory and suspends its execution. It injects itself into the created svchost.exe process via an APC injection mechanism“.
The second stage of the infection is gaining a footing on the compromised host and using it as a stepping stone to establish communications with a remote server in order to fetch and execute a payload, which then decodes and runs the final-stage malware.
This malware is designed to take advantage of the endpoint to send extortion messages referencing the recipients’ online activities, such as accessing porn sites and threatening to release a video reportedly recorded by breaking into their computers webcams.
Finally the researchers concluded that ,” This threat actor went to great lengths to deliver the malware and keep it undetected, just to deploy it as an extortion mail sender, Botnets are harmful precisely because of this yet-to-be-identified threat. It may just as easily infect all affected endpoints with ransomware, malware, worms or other dangers.”