Mylobot malware comes with rare complexity, dangerous bag of tricks and techniques

A new, dangerous malware has been discovered that ensnares systems into a botnet and comes with a rare level of complexity and a swathe of dangerous features. Researchers at Deep Instinct have described the botnet, dubbed Mylobot, as complex and "never seen in the wild before."

The malware comes with three different layers of evasion techniques, including the use of command and control (C2) servers to download the final payload. It also features various malicious capabilities including anti-sandbox, anti-debugging and anti-VM techniques, wrapping internal parts with an encrypted resource file, code injection, process-hollowing, reflective EXE and a delaying mechanism of 14 days before it accesses its C&C servers.

"The fact that everything takes place in memory (while executing the main business logic of the botnet in an external process using code injection) makes it even harder to detect and trace," Deep Instinct researchers said in a blog post. "When we traced the command and control server, we revealed that it was used by other malware campaigns as well which originated from the dark web."

The malware can hunt for, terminate and delete instances of other malware, specifically aiming for folders of other botnets within an infected system such as DorkBot. This behaviour highlights the raging competition and battle among cybercriminals for target systems and users as the scope of potentially vulnerable devices continues to expand.

"We estimate this rare and unique behavior is because of money purposes within the Dark web," researchers said. "Attackers compete against each other to have as many 'zombie computers' as possible in order to increase their value when proposing services to other attackers, especially when it comes to spreading infrastructures. The more computers – the more money an attacker can make."

While Mylobot's main functionality allows the attackers to gain complete control of the user's system, it can also be used to download any additional, malicious payloads. These may include cryptomining malware, ransomware, keyloggers, banking trojans, spyware or more. It could also be used to launch DDoS attacks as well.

Researchers have not specified what additional payloads are currently being downloaded by Mylobot. However, the IP of the C&C server was first spotted in November 2015 and is linked to Locky, DorkBot and Redyms/Ramdo.

It is still unclear who is behind the complex botnet, how the malware is currently being delivered and what the attackers' main goals are. However, its sheer level of sophistication and complexity seems to suggest its creators are not amateurs.

“We expect this rare and unique behavior is because of money purposes within the Dark Web. The author of this botnet knows what they’re doing and it is not an amateur operation," Deep Instinct security researcher Tom Nipravsky told Threatpost. "No indication yet of who the author is.

“When it comes to resources ,we see that the botnet is trying to connect to 1404 different domains (in the time of writing this research, only one was alive). This is an indication for big resources in order to register all those domains.”