MyloBot’s latest version has been used to plant malicious payloads, and the payloads are being used to send sextortion emails. The emails have a demand of $2,7321digital currency— for the recipients.
MyloBot, first identified in 2018, has a wide range of anti-debugging capabilities and spreading methods used for planting a botnet in targeted systems. It eliminates remnants of other competing malware from the system.
MyloBot avoids detection by staying low: it waits for 14 days before accessing its command-and-control servers and executing malicious binaries from memory.
MyloBot injects an attack code into a suspended and hollowed process to beat process-based defences. Injecting attack code into a suspended and hollowed process is process hollowing. It injects the attack by unmapping the memory assigned to the running process and substitutes it with the arbitrary code to be executed.
“The second stage executable then creates a new folder under C:\ProgramData,” Minerva Labs researcher Natalie Zargarov said in a report. “It looks for svchost.exe under a system directory and executes it in the suspended state. Using an APC injection technique, it injects itself into the spawned svchost.exe process.”
APC injection akin to process hollowing enables the insertion of malicious code into an existing victim process through the asynchronous procedure call (APC) queue.
The attack’s next stage entails establishing permanently on the target system, which the malware do by communicating with a remote server to obtain and execute a payload. The payload decodes and runs the final-stage malware.
This malware is designed to abuse the endpoint to send extortion messages alluding to the recipients’ online behaviours, such as visiting porn sites and threatening to leak a video that was allegedly recorded by breaking into their computers’ webcam.
“This threat actor went through a lot of trouble to drop the malware and keep it undetected, only to use it as an extortion mail sender,” Zargarov said. “Botnets are dangerous exactly because of this unknown upcoming threat. It could just as easily drop and execute ransomware, spyware, worms, or other threats on all infected endpoints.”