A sophisticated botnet found dubbed Mylobot

walden, system, systems, walden systems, rita, firewall, port, forward, up, protect, intrusion, security, traffic, DMZ, block, protection, walden systems, walden, systems, network, fire, wall, hack, intrusion, cisco, router, network, switch, hub, IoT, traffic
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.



     Security researchers have seen various ways of spreading malicious code, one main infrastructure of spreading malware being the dark web. Lately, researchers detected and prevented a highly sophisicated botnet. This newly found botnet presents three different layers of evasion techniques, including usage of command and control servers to download the final payload. the combination and complexity of these techniques were never seen before. Botnets can perform anything, depending on the payload. The payload can vary from DDoS attacks, data theft, and ransomware which can cause damage.

     The newly found botnet is referred to as Mylobot. The sophisticated botnet incorporates different techiques including anti VM, anti-sandbox, and anti-debugging. Mylobot can wrap internal parts with an encrypted resource file. Mylobot can inject malicious code at will. Mylobot also encorporates process hollowing where a hacker creates a new process in a suspended state and replaces its image with one that is to be hidden. Mylobot can execute exe files directly from memory without having to run from disk. It can also delay communications with it's command and control servers for 14 days.




     Since everything takes place in memory while executing the main business logic of the botnet in an external process using code injection, it even harder to detect and trace. When security experts traced the command and control server, they found that it was used by other malware attacks as well which originated from the dark web. The dark web plays a critical part in the spread of malware, it's a matter of simple accessibility of services and knowledge that makes it easy for any hacker to gain more access with minimum effort. The first example of this is the shared knowledge in forums, in the dark web, hackers trade methods and techniques in underground forums, exposing knowledge to additional malware developers.

     Another example, which has increased in the past couple of years, is the amount of malware for sale on dark web markets. By using the dark web, anyone can access an online market and purchase a malware. Prices vary, from simple malware that costs several dollars to malware sold at hundreds of dollars that are advertised as fully undetectable. Other than the malware itself, malware developers can purchase services that assist in the infection process. A hacker can purchase access to exploit kits, buy traffic of tens of thousands of users to a web page, or even buy a full ransomware-as-a-service for their own use.



     Part of malware process is terminating and deleting instances of other malwares. It checks for known folders that malware lives in Application Data folder, and if a certain file is running, it immediately terminates it and deletes its file. It even aims for specific folders of other botnets such as DorkBot. Researchers estimate that this rare and unique behavior is because of money purposes within the Dark web. Attackers compete against each other to have as many zombie computers as possible in order to increase their value when proposing services to other attackers, especially when it comes to spreading infrastructures. The more computers, the more money a hacker can make. This is something we’re seeing here as well.

     Once installed, the botnet shuts down Windows Defender and Windows Update while blocking additional ports on the Firewall. It also shuts down and deletes any EXE file running from the %APPDATA% folder, which can cause data loss. The main functionality of the botnet enables a hacker to take complete control of the user’s system. It behaves as a gate to download additional code from the command and control servers. The damage here depends on the payload the hacker decides to distribute. It can vary from downloading and executing ransomware and banking trojans, among others. This can result in loss of tremendous amounts of data and lead to the need to shut down computers for recovery purposes. The fact that the botnet behaves as a gate for additional payloads, puts the enterprise in risk for leak of sensitive data as well, following the risk of keyloggers / banking trojans installations.