Botnet attacks are one of the most prominent methods of cybercrime in the current threat landscape. Their power, attack range, ease of use, and level of customization all make for a tantalizing tool to be used by black hats globally. Some botnets are stronger and more complex than others, but generally speaking, InfoSec professionals are able to develop defensive measures to counter their effects (at least to a certain degree). The stronger and more complex botnets, however, can prove to be a headache for researchers and IT divisions. It is this reality that recent research is showing to the InfoSec community thanks to work from Tom Nipravsky, a security researcher for Deep Instinct. In his report, Nipravsky lays out an extensive analysis of the MyloBot botnet, which he touts as exhibiting “rare and unique behavior” while simultaneously warning that it has already been found in the wild.
MyloBot demonstrates an impressive array of abilities including the following:
- Anti-VM techniques
- Anti-sandbox techniques
- Anti-debugging techniques
- Wrapping internal parts with an encrypted resource file
- Code injection
- Process hollowing
- Reflective EXE
- Ability to delay transfer of data 14 days before accessing its command and control servers.
The primary function of the MyloBot botnet appears to be taking total control of a victim’s machines. The research post indicates that “it behaves as a gate to download additional payloads from the command-and-control servers.” These payloads include ransomware, banking Trojans, cryptomining malware, and other destructive forms of malware. This would indicate that the motives behind MyloBot are monetary, but of course with full access to a machine anything is possible and all motivations should be considered.
What is making the MyloBot botnet difficult to defend is its core processes taking place in its memory which makes it, in the words of Tom Nipravsky, “even harder to detect and trace.” Additionally the “three different layers of evasion techniques” are utilized in such a way that makes it of the most complex botnets to date. The botnet is most likely, as is with the vast majority of botnets, from the Dark Web. One indicator of this is that MyloBot actively seeks out folders for traces of other botnets to boot them out (i.e. delete any malware associated with them). This shows a certain competitiveness that is coming to a head in the black hat community where botnets are trying to gain more space. This makes sense as more space (i.e. more customers purchasing DDoS as a Service) equals more profit for the criminals behind the operation.
MyloBot is the new kid on the block, but it already seems primed and ready to lay waste to anything in its path.
Featured image: Flickr / Book Catalog