Researchers from the company Deep Instinct reported the emergence of a new botnet, the operators of which use the Mylobot loader to infect devices with various malicious software - from crypto currency alleys to keyloggers, bank Trojans and extortion programs. The peculiarity of Mylobot is the use of a unique set of the most modern techniques.
In particular, Mylobot is equipped with a variety of means to prevent analysis and detection. For example, he can define his launch in a sandbox, virtual machine and under a debugger, can forcibly terminate the Windows Defender and Windows Update processes, and also block additional ports in the Windows firewall.
The Mylobot resource file is encrypted, malicious code execution occurs in a non-file method. The malware also uses a non-standard code injection technique called Process Hollowing (with its help, attackers create processes in a waiting state and replace the image of the process with the way they want to hide). Having infected the device, Mylobot waits for two weeks before contacting the server manager.
The structure of the Mylobot code is quite complicated. The worm contains three layers of files nested one in the other, each layer being responsible for executing the next one.
In addition to downloading malware, Mylobot can also be used to implement DDoS attacks. In the campaign, discovered by the researchers, Mylobot uploaded the backdoor DorkBot to the victims' computers. Currently, experts are at a loss to say how the spread of malware.
The loader ruthlessly deals with competitors on infected devices, checking the list of running processes with the contents of the folder% APPDATA%, where malicious files are usually stored. After finding a match, Mylobot terminates the process and deletes the corresponding exe file.
Specialists can not yet say who is behind Mylobot, but the complexity and unique behavior indicate that the authors of the malware are not amateurs.