A highly sophisticated never-before-seen botnet was recently discovered using three different layers of evasion techniques and acts as a gate for additional loads.
Deep Instinct researchers spotted the botnet dubbed Mylobot which they described as a complex botnet that uses a never before seen combination of evasion techniques, including usage of command and control servers to download the final payload, according to a 20 June blog post.
“Once installed, the botnet shuts down Windows Defender and Windows Update while blocking additional ports on the Firewall,” Security Researcher Tom Nipravsky said in the post. “It also shuts down and deletes any EXE file running from %APPDATA% folder, which can cause loss of data.”
The botnet incorporates various techniques including anti VM techniques, anti-sandbox techniques, and anti-debugging techniques.
Mylobot also wraps internal parts with encrypted resource file, uses code injection, execute EXE files directly from memory without having them on disk, process hollowing, and a delaying mechanism of 14 days before accessing its command and control servers.
Process hollowing is a technique where an attacker creates a new process in a suspended state, and replaces its image with the one that is to be hidden.
While executing the main business logic of the botnet in an external process using code injection everything takes place in memory, makes it even harder to detect and trace.
Once infected the malware will check known folders where malware lives, such as the “Application Data” folder and will immediately terminate and delete the file, even aiming for other botnets such as Dorkbot.
The botnet has the ability to serve different payloads so it could potentially infect victims with ransomware, banking trojans, keyloggers, and other malware resulting in the loss of tremendous data or the need to shut down computers for recovery purposes. The risks are exemplified for enterprises as the damages could be multiplied if the malware makes it into the network.