Evasive MyloBot botnet can take over enterprise devices to steal data, spread ransomware

A new, extremely evasive botnet has been discovered that takes unique leverage of command and control servers and can completely take over an enterprise device to execute any type of code it wishes, from ransomware to trojans to data extraction, according to researchers at endpoint and mobile security firm Deep Instinct.

The malware–which is complex in nature and has the potential to cause extreme damage to enterprises by spreading ransomware and stealing data–also is evidence of how hackers are using dark markets to spread malicious software and carry out other types of cyber crime, Tom Nipravsky, Deep Instinct security researcher, said in a blog post revealing the botnet, called MyloBot.

About two and a half months ago, Deep Instinct researchers discovered the botnet on one of their client’s devices, which they didn’t identify specifically but said is from a “top data communication and telecommunication equipment manufacturer.”

“This tool presents three layers of evasion techniques, which were never seen before, including usage of command and control servers to download the final payload,” Arik Solomon, vice president of research and development at Deep Instinct, told Security Ledger. “It’s possible that it’s active elsewhere both in the U.S. and globally.”

Researchers have been tracking MyloBot since its discovery but as yet aren’t sure of the authors or where the malware originated, he said.

Once installed, the botnet shuts down Windows Defender while blocking additional ports on the firewall, researchers said. It also shuts down and deletes any EXE file running from %APPDATA% folder, which can cause loss of data.

“The malware has all characteristics of a botnet,” Solomon said. “It has extreme persistency when it comes to how it loads when the computer starts, and it also has the mechanism to kill all other malware running on a computer. If another botnet is running, this malware will kill it, giving it exclusive execution on the computer.”

Complete system control

MyloBot appears to be highly sophisticated, incorporating a number of techniques–including anti-virtual machine,  anti-sandbox, anti-debugging, wrapping internal parts with an encrypted resource file, code injection, and process hallowing. It also uses reflective EXE, which means it can execute EXE files directly from memory, without having them on the disk, researchers said.

One glimmer of good news that could allow security administrators to detect the botnet early on a system is that initial installation just creates a file on the computer, after which there is a waiting period of 14 days before it connects to a command and control center and can actually do any malicious activity or download payloads, Solomon told us.

Still, MyloBot is particularly dangerous for a couple of reasons. For one, its main functionality allows an attacker to take complete control of a user’s system, behaving as a gate to download additional payloads from the command and control servers.

Once an attacker gets onto a system, he can, for example, download and execute ransomware and banking trojans, resulting in extreme data loss as well as the need to shut down computers for recovery purposes. Needless to say, these can spell disaster and result in significant damage for enterprises.

Perhaps even more troubling is how uniquely evasive MyloBot is, researchers said. One feature allowing for this is that everything takes place in memory–while executing the main business logic of the botnet in an external process using code injection–which makes it even harder to detect and trace, they said.

Moreover, when tracing the command and control server, researchers discovered that it is linked to other malware as well, using the same servers, they said. “This is a big indication for common spreading infrastructure, which is common in the dark web,” Nipravsky said in his post.

Dark web and its facilitation of malware

Indeed, the so-called dark web–part of the World Wide Web that is only accessible by means of special software–is becoming increasingly critical as a means to spread malware away from the watchful eye of authorities and security experts, and is integral in particular to the potential success of the botnet they discovered, according to Deep Instinct researchers.

“Its rather simple accessibility of services and knowledge has made it easy for any average attacker to gain much more abilities in minimum effort,” Nipravsky said. “The first example for this, is the shared knowledge in forums: In the dark web, attackers trade methods and techniques in underground forums, thus exposing knowledge to additional malware developers.”

The dark web also is being used as a marketplace for malware, allowing bad actors to access a covert online market and purchase nefarious software. Malware on these markets is priced according to the complexity of the software being sold, researchers said.

“Prices vary, from simple malware that costs several dollars to malware sold at hundreds of dollars as ‘fully undetectable,'” Nipravsky said.

Malware isn’t the only thing developers can purchase on these markets, which act as a black market of sorts for cyber and other types of criminals. They also can buy services that assist in the infection process, as well as access to exploit kits, traffic of tens of thousands of users to a web page, or even full ransomware-as-a-service, including a custom-made ransom note, researchers said.

Law-enforcement authorities and government agencies are onto dark markets, however, and have had some success shuttering them. About a year ago, the Justice Department shut down AlphaBay, which at that time the department said was  “the largest criminal marketplace on the internet.” The shutdown occurred about two weeks after the market went offline.

AlphaBay was used not only to sell malware and computer-hacking tools, but also to sell a wide range of contraband to a customer base of some 200,000 individuals worldwide, the DoJ said at the time. Products like illegal drugs, stolen and fraudulent identification documents and access devices, counterfeit goods, firearms and toxic chemicals also were available for sale on AlphaBay.