How MyloBot Could Turn The Tables On Your Windows Device
Security researchers at Deep Instinct have discovered a new, highly-sophisticated malware able to target Microsoft’s Windows-based computers and turn them into botnets. It’s called MyloBot, and it has the industry talking. Upon infection, the malware allows hackers to take over the host device and employ it as part of a larger botnot—otherwise known as a network of private computers all infected with malware and able to control groups as targeted attackers.
With this kind of firepower, botnets are often key to digital threats like Distributed Denial of Service (DDoS), ransomware, and the like. The people at Deep Instinct who discovered the malware claim to have never seen its equal, especially regarding overall capabilities and sophistication. They dubbed it MyloBot and sought to learn more.
MyloBot does more than just convert Windows devices into a botnet—it steals user data, disables antivirus software, removes any previously-installed malware, and also disables key system features, like Windows Defender and Windows Updates while blocking ports in Windows Firewall and deleting various applications.
The blog post entitled “Meet MyloBot—A New Highly-Sophisticated, Never-Seen-Before Botnet That’s Out In The Wild” and written by Tom Nipravsky, a Deep Instinct Security Researcher discusses certain aspects of this malware. Nipravsky explains, “Part of this malware process is terminating and deleting instances of other malware. It checks for known folders where malware “lives,” such as an Application Data folder—and if a certain file is running, it immediately terminates and deletes its file. It even aims for specific folders of other botnets such as DorkBot.”
The blog goes on to say, “Once installed, the botnet shuts down Windows Defender and Windows Update while blocking additional ports on the Firewall. It also shuts down and deletes any EXE file running from %APPDATA% folder, which can cause a loss of data.”
Nipravsky also details the main functionality of the botnet by saying, “The main functionality of the botnet enables an attacker to take complete control of the user’s system. It behaves as a gate to download additional payloads from the command and control servers. The expected damage here depends on the payload the attacker decides to distribute. It can vary from downloading and executing ransomware and banking trojans, among others. This can result in tremendous loss of data and the need to shut down computers for recovery purposes, both of which can lead to enterprise disasters. Because the botnet behaves as a gate for additional payloads, it puts enterprises at risk of data loss from keyloggers and banking Trojan installations.”
It appears MyloBot is being operated from the dark web with a Command and Control system (C & C) that is connected to other malicious campaigns as well. Researchers at Deep Instinct have detected the malware sitting idle for 14 days in the systems, posing as a client of the host machine. More details about how the malware spreads are yet to be discovered and divulged.