Security researchers found a new malware called MyloBot (detected by Trend Micro as TSPY_MYLOBOT.A) that features sophisticated evasion, infection, and propagation techniques, implying that the authors have the experience and heavy infrastructure behind them. Discovered in the systems of an undisclosed Tier 1 data and telecommunications equipment company, the researchers observed MyloBot’s behaviors include process hollowing, reflective EXE, code injection, ransomware payload, and data theft. As it ropes in infected machines into a botnet, this new malware also removes all other malware from the system and inflicts extensive system damage.
While the researchers have yet to identify the source of infection and authorship, the malware has keyboard layout scan techniques that allow it to stop the attack routine if it finds a particular Asian character setup. Further, MyloBot’s evasion techniques include:
The malware allows the attackers to gain full control of the infected machine, enabling them to add payloads for other purposes such as banking Trojans, keyloggers, and distributed denial of service (DDoS) use.
MyloBot shuts down Windows Defender and Windows Update upon installation and blocks the firewall for unimpeded deployment and communication with the C&C. The researchers also connected the programming patterns to Dorkbot and Locky, as the malware authors may have been in discussion with previous attackers or even underground sellers. This connection was reinforced when the C&C server was traced to the dark web and found to have been used in earlier malware attacks.
One of MyloBot’s phases also shuts down and deletes any existing malware in the system, scanning for specific target folders and running files in the %APPDATA% folder. The researchers regard this distinct behavior as a reaction to the growing field of competing threat actors, making sure that the malware authors profit the most from the victims.
No longer just working against cybersecurity companies but also competing against fellow cybercriminals, threats like this will continue to require a more advanced, proactive technological response against digital extortion. Here are a few recommendations to protect your enterprise systems and assets:
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.