The Mylobot botnet has been discovered in a recent worldwide attack, upon analysis it has been found to contain an advanced malware engine. It can execute several different components depending on the targets, the hackers behind it are still unknown.
Mylobot Botnet Infection Mechanism
The Mylobot botnet attacks were discovered during a routine cybersecurity evaluation by a security team. The published analysis reveals that the botnet includes both a sophisticated infection method and a post-infection behaviour pattern that are based on a highly customizable engine. The researchers note that this has produced a botnet that is currently rated as one of the most sophisticated ones. At the same time there is no information available about the identity of the hacker or criminal collective behind it.
The published reports do not give reveal the exact infection mechanism as the discovery was made on systems that were already compromised. Given the situation there are several possible entry points that the malicious code might have used.
One of the options is the use of infected email messages, specifically those that rely on social engineering techniques. The criminals can attempt to create counterfeit messages and notifications that use the names, text and graphics of famous companies. They can contain contain attached copies or hyperlinks placed in the body contents. The infections can also be caused by infected payloads such as malware copies of application installers or macro-infected documents.
The botnet can also be downloaded from counterfeit download sites that might use a similar template and domain name to popular services and well-known portals. They can also utilize scripts such as pop-ups, redirects, in-line hyperlinks, banners and etc.
A large-scale Mylobot botnet infection can be made using direct network attacks. They are done by targeting possible vulnerable components which are loaded in automated penetration testing kits. They can be launched against whole network at the same time.
Mylobot Botnet Capabilities
The Mylobot botnet malware engine has been found to contain several components that can protect itself from detection. This has prevented the security software from catching its signatures. The collected samples have shown to include special protective measures that guard the virus from all sorts of applications. The list include anti-virus programs, firewalls, debugging environments and virtual machine hosts. The associated copies can either bypass or entirely remove the security software. Certain Mylobot botnet samples can be configured to remove themselves if they are unable to perform these steps.
Once the main Mylobot botnet engine has been deployed onto the target computers it starts a data harvesting component that is programmed to hijack the following types of data:
- Other Virus Infections — An important part of the Mylobot botnet engine is that it is able to detect the presence of other malware. It can remove them or bypass only those actions that can cause a conflict with its own execution.
- Personal Data — The Mylobot botnet can use a complex engine that can harvest a lot of sensitive data about the victims. The revealed information can expose the user’s identity: their name, address, telephone number, location, passwords, account credentials and etc.
- Campaign Metrics — The data harvesting engine can reveal a lot of data concerning the infected devices which can lead to campaign optimizations in subsequent attacks. For example this can include a profile of all installed hardware components and etc.
Following the module’s execution it will install itself on the target machine as a system service. It has been found to disable Windows Defender and Windows Update along with many ports that are normally controlled via the built-in Firewall. The security analysis reveals that all system services that operate from the %APPDATA%. This may cause certain functions to stop working and the users may loose precious data.
The main function of the Mylobot botnet is the launch of its Trojan component. It is an advanced engine of its own that can connect to a hacker-controlled server and execute remote commands, spy on the victims and take over control of their machines at any given time. Using this secure connection it can also be used to deploy additional threats to the targets.
As it appears to target computers on a global scale we speculate that the attacks are driven against large companies or government networks. It is very possible that the ongoing attack campaigns are targeted to penetrate only a carefully monitored set of computers.
Mylobot Botnet’s Use in Future Attacks
The Mylobot botnet can be used as an effective solution against a wide range of targets. The security analysis that presented its capabilities shows that the underlying engine contains a lot of modules that can bypass several layers of security — both network countermeasures and desktop installations that are present on the individual hosts. The fact that the captured strains were found after the infections have already penetrated the anti-virus products shows that at the moment there is no accurate information about the number of active infections worldwide. Its impact may range from individual users to large enterprises and even government networks.
There are several possible use case scenarios that the hackers can adhere to:
- Direct Attacks — The Mylobot botnet can be used to target predefined targets using the presented capabilities of the virus engine.
- Widespread Attack — The botnet can be programmed to attempt and infect many targets at once. This is best done by using many instances that are set against a predefined network of target hosts. The infection attempts are usually executed to run in parallel.
- Payload Delivery — The botnet is used mainly to bypass the security measures. However instead of performing the bulk of the malicious actions by itself it deploys a secondary virus that is responsible for the infection.
- Customized Versions — Mylobot Botnet samples are offered on the underground hacker markets and customized for certain targets.
In all cases infections caused by the Mylobot botnet should be handled with extreme caution as they can be very difficult to remove. We expect to see further updates to its code which can make them even harder to detect and remove.