A new version of the MyloBot malware has been observed to deploy malicious payloads that are being used to send sextortion emails demanding victims to pay $2,732 in digital currency.
MyloBot, first detected in 2018, is known to feature an array of sophisticated anti-debugging capabilities and propagation techniques to rope infected machines into a botnet, not to mention remove traces of other competing malware from the systems.
Chief among its methods to evade detection and stay under the radar included a delay of 14 days before accessing its command-and-control servers and the facility to execute malicious binaries directly from memory.
MyloBot uses a technique known as process Hollowing , in which the attacker code is placed into suspended or hollowed processes to bypass process-based defenses. This is achieved by unmapping the memory allocated to the live process and replacing it with the arbitrary code to be executed, in this case a decoded resource file.
“The second stage executable then creates a new folder under C:ProgramData,” Minerva Labs researcher Natalie Zargarov said in a report. “It looks for svchost.exe under a system directory and executes it in suspended state. It injects itself using an APC injection technique into the spawned process svchost.exe. “
APC injection, similar to process hollowing, is also a process injection technique that enables the insertion of malicious code into an existing victim process via the asynchronous procedure call (APC) queue.
The next stage of infection is to create persistence on compromised hosts, and then use the foothold to communicate with remote servers to retrieve and execute the payload, which decodes the malware and launches it.
This malware was created to exploit the endpoint and send extortion emails alluding the recipient’s online behavior, including visiting porn websites and threat to leak a video. It was also alleged to have been recorded through their webcam.
Minerva Labs’ analysis of the malware also reveals its ability to download additional files, suggesting that the threat actor left behind a backdoor for carrying out further attacks.
“This threat actor went through a lot of trouble to drop the malware and keep it undetected, only to use it as an extortion mail sender,” Zargarov said. This unknown threat makes botnets dangerous. It could just as easily drop and execute ransomware, spyware, worms, or other threats on all infected endpoints. “