MyloBot malware has been observed deploying malicious payloads that are being used to send sextortion emails demanding victims to pay $2,732 in digital currency.
MyloBot, is known for sophisticated anti-debugging capabilities and propagation techniques to rope infected machines into a botnet, not to mention remove traces of other competing malware from the systems.
It will evade detection and stay under the radar included a delay of 14 days before accessing its command-and-control servers and the facility to execute malicious binaries directly from memory.
It leverages process hollowing technique, wherein the attack code is injected into a suspended and hollowed process in order to circumvent process-based defenses. This is achieved by unmapping the memory allocated to the live process and replacing it with the arbitrary code to be executed, in this case a decoded resource file.
The second stage executable then creates a new folder under C:\ProgramData,It looks for svchost.exe under a system directory and executes it in suspended state. Using an APC injection technique, it injects itself into the spawned svchost.exe process.
APC injection, similar to process hollowing, is also a process injection technique that enables the insertion of malicious code into an existing victim process via the asynchronous procedure call (APC) queue.
The next phase of the infection involves establishing persistence on the compromised host, using the foothold as a stepping stone to establish communications with a remote server to fetch and execute a payload that, in turn, decodes and runs the final-stage malware.
This malware is designed to abuse the endpoint to send extortion messages alluding to the recipients’ online behaviors, such as visiting porn sites, and threatening to leak a video that was allegedly recorded by breaking into their computers’ webcam.
Botnets are dangerous exactly because of this unknown upcoming threat. It could just as easily drop and execute ransomware, spyware, worms, or other threats on all infected endpoints.