Security researchers from Deep Instinct have discovered a new strain of sophisticated malware dubbed “Mylobot” that targets Windows systems in the wild.
“This tool presents three different layers of evasion techniques, including usage of command and control servers to download the final payload. the combination and complexity of these techniques were never seen in the wild before,” says Tom Nipravsky, Security Researcher from Deep Instinct.
Deep Instinct provided a summary of different malicious techniques used by the botnet:
- Anti VM techniques
- Anti-sandbox techniques
- Anti-debugging techniques
- Wrapping internal parts with an encrypted resource file
- Code injection
- Process hollowing – a technique where an attacker creates a new process in a suspended state, and replaces its image with the one that is to be hidden
- Reflective EXE – executing EXE files directly from memory, without having them on disk. This kind of reflection is not very common and was first published by Deep Instinct in Blackhat USA 2016
- It also has a delaying mechanism of 14 days before accessing its command and control servers.
The potential damage inflicted by the malware was also described in the blog post:
“Once installed, the botnet shuts down Windows Defender and Windows Update while blocking additional ports on the Firewall. It also shuts down and deletes any EXE file running from %APPDATA% folder, which can cause loss of data. The main functionality of the botnet enables an attacker to take complete control of the user’s system – it behaves as a gate to download additional payloads from the command and control servers,” Nipravsky said.