Security researchers found a new malware called MyloBot (detected by Trend Micro as TSPY_MYLOBOT.A) that features sophisticated evasion, infection, and propagation techniques, implying that the authors have the experience and heavy infrastructure behind them. Discovered in the systems of an undisclosed Tier 1 data and telecommunications equipment company, the researchers observed MyloBot’s behaviors include process hollowing, reflective EXE, code injection, ransomware payload, and data theft. As it ropes in infected machines into a botnet, this new malware also removes all other malware from the system and inflicts extensive system damage.
While the researchers have yet to identify the source of infection and authorship, the malware has keyboard layout scan techniques that allow it to stop the attack routine if it finds a particular Asian character setup. Further, MyloBot’s evasion techniques include:
Reflective EXE, an uncommon technique that runs EXE files from memory and not on disk
Delay of 14 days to command and control (C&C) communication for evasion, such as threat hunting, sandboxing and endpoint detection
The malware allows the attackers to gain full control of the infected machine, enabling them to add payloads for other purposes such as banking Trojans, keyloggers, and distributed denial of service (DDoS) use.
MyloBot shuts down Windows Defender and Windows Update upon installation and blocks the firewall for unimpeded deployment and communication with the C&C. The researchers also connected the programming patterns to Dorkbot and Locky, as the malware authors may have been in discussion with previous attackers or even underground sellers. This connection was reinforced when the C&C server was traced to the dark web and found to have been used in earlier malware attacks.
One of MyloBot’s phases also shuts down and deletes any existing malware in the system, scanning for specific target folders and running files in the %APPDATA% folder. The researchers regard this distinct behavior as a reaction to the growing field of competing threat actors, making sure that the malware authors profit the most from the victims.