MyloBot Uses Sophisticated Evasion and Attack Techniques, Deletes Other Malware

Security researchers found a new malware called MyloBot (detected by Trend Micro as TSPY_MYLOBOT.A) that features sophisticated evasion, infection, and propagation techniques, implying that the authors have the experience and heavy infrastructure behind them. Discovered in the systems of an undisclosed Tier 1 data and telecommunications equipment company, the researchers observed MyloBot’s behaviors include process hollowing, reflective EXE, code injection, ransomware payload, and data theft. As it ropes in infected machines into a botnet, this new malware also removes all other malware from the system and inflicts extensive system damage.

[Roundup: The Paradox of Cyberthreats]

While the researchers have yet to identify the source of infection and authorship, the malware has keyboard layout scan techniques that allow it to stop the attack routine if it finds a particular Asian character setup. Further, MyloBot’s evasion techniques include:

  • Anti-VM capabilities
  • Anti-sandbox capabilities
  • Anti-debugging capabilities
  • Reflective EXE, an uncommon technique that runs EXE files from memory and not on disk
  • Process hollowing
  • Code injection
  • Delay of 14 days to command and control (C&C) communication for evasion, such as threat hunting, sandboxing and endpoint detection

[Read: What are the bad guys after and how do I stop them?]

The malware allows the attackers to gain full control of the infected machine, enabling them to add payloads for other purposes such as banking Trojans, keyloggers, and distributed denial of service (DDoS) use.

MyloBot shuts down Windows Defender and Windows Update upon installation and blocks the firewall for unimpeded deployment and communication with the C&C. The researchers also connected the programming patterns to Dorkbot and Locky, as the malware authors may have been in discussion with previous attackers or even underground sellers. This connection was reinforced when the C&C server was traced to the dark web and found to have been used in earlier malware attacks.

One of MyloBot’s phases also shuts down and deletes any existing malware in the system, scanning for specific target folders and running files in the %APPDATA% folder. The researchers regard this distinct behavior as a reaction to the growing field of competing threat actors, making sure that the malware authors profit the most from the victims.

[Read: KOVTER: An evolving malware gone fileless]

No longer just working against cybersecurity companies but also competing against fellow cybercriminals, threats like this will continue to require a more advanced, proactive technological response against digital extortion. Here are a few recommendations to protect your enterprise systems and assets:

  • Ensure a multi-layered approach and protection for your systems to prevent, detect and remove threats from the gateway to the endpoints.
  • Regularly back up your files. Practice the 3-2-1 system to minimize or mitigate data loss.
  • Employ data categorization and network segmentation.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.