A new variant of the MyloBot malware is used in sextortion campaigns. Apparently, the malware deploys malicious payloads that hackers use to send sextortion emails with demands of $2,732 in cryptocurrency.
New Version of MyloBot Detected
Minerva researchers recently came across a 2022 version of MyloBot (first detected in 2018), and decided to investigate how the botnet has evolved. To their surprise, it turned out that not much has changed in terms of capabilities.
“Several Anti – Debugging and Anti – VM techniques have disappeared and more injection techniques are now being implemented but, ultimately, the second stage payload downloaded from the C&C server is used to send Extortion emails,” the report pointed out.
The attack itself is executed in six stages.
The first stage relies on the techniques of setting up an unhandled exception filter using “SetUnhandledExceptionFilter,” and a call to the “CreateTimerQueueTimer” WINAPI function. During the second stage, the malware “performs an Anti-VM check using SetupDiGetClassDevs, SetupDiEnumDeviceInfo and SetupDiGetDeviceRegistryProperty to query the friendly name of all devices present on the current system and checks for the the strings VMWARE, VBOX, VIRTUAL HD and QEMU within the name.”
The third stage adds persistency to the attack, whereas the file used in the fourth stage is a copy of the first stage file. The final stages download the final payload, during which cleanmgr.exe runs using an additional Timing Anti-Debugging technique.
What about the sextortion email?
The content of the sextortion email is the following:
I know michigan is one of your password on day of hack..
Lets get directly to the point.
Not one person has paid me to check about you.
You do not know me and you’re probably thinking why you are getting this email?
in fact, i actually placed a malware on the adult vids (adult porn) website and you know what, you visited this site to experience fun (you know what i mean).
When you were viewing videos, your browser started out operating as a RDP having a key logger which provided me with accessibility to your display and web cam.
immediately after that, my malware obtained every one of your contacts from your Messenger, FB, as well as email account.
after that i created a double-screen video. 1st part shows the video you were viewing (you have a nice taste omg), and 2nd part displays the recording of your cam, and its you.
Best solution would be to pay me $2732.
We are going to refer to it as a donation. in this situation, i most certainly will without delay remove your video.
My BTC address : 14JuDQdSEQtFq7SkFHGJackAxneY9ixAUM
[case SeNSiTiVe, copy & paste it] You could go on your life like this never happened and you will not ever hear back again from me.
You’ll make the payment via Bitcoin (if you do not know this, search ‘how to buy bitcoin’ in Google).
if you are planning on going to the law, surely, this e-mail can not be traced back to me, because it’s hacked too.
I have taken care of my actions. i am not looking to ask you for a lot, i simply want to be paid.
if i do not receive the bitcoin;, I definitely will send out your video recording to all of your contacts including friends and family, co-workers, and so on.
Nevertheless, if i do get paid, i will destroy the recording immediately.
If you need proof, reply with Yeah then i will send out your video recording to your 8 friends.
it’s a nonnegotiable offer and thus please don’t waste mine time & yours by replying to this message.
The malware also has the capability to download an additional payload file on the infected system. “This might indicate that the threat actor left a door open for itself and might yet decide to pass additional files,” the report added.
MyloBot was initially released in 2018. This version of the malware was also used email messages, specifically ones equipped with social engineering techniques.