What Is Mylobot Malware? How It Works and What to Do About It

Botnet Detection and Removal: Methods & Best Practices ...

This is a doozy right here…. be on your shit!

Cybersecurity is a constant battleground. In 2017, security researchers discovered some 23,000 new malware specimens per day (that’s 795 per hour).

While that headline is shocking, it turns out that the majority of these specimens are variants of the same malware type. They just have slightly different code that each creates a “new” signature.

Every now and then, though, a truly new malware strain bursts onto the scene. Mylobot is one such example: it’s new, highly sophisticated, and gathering momentum.

What Is Mylobot?

Mylobot is a botnet malware that packs a serious amount of malicious intent. The new malware was first spotted by Tom Nipravsky, a security researcher for Deep Instinct, who says “the combination and complexity of these techniques were never seen in the wild before.”

This malware does indeed combine a wide-range of sophisticated infection and obfuscation techniques into a potent package. Take a look:

  • Anti-virtual machine (VM) techniques: The malware checks its local environment for the signs of a virtual machine, and if found fails to run.
  • Anti-sandbox techniques: Very similar to the anti-VM techniques.
  • Anti-debugging techniques: Stops a security researcher effectively and efficiently working on a malware sample, by altering behavior in the presence of certain debugging programs.
  • Wrapping internal parts with an encrypted resource file: Essentially further protecting the internal code of the malware with encryption.
  • Code injection techniques: Mylobot runs custom code to attack the system, injecting its custom code into system processes to gain access and disrupt regular operation.
  • Process hollowing: An attacker creates a new process in a suspended state, then replaces the one that is meant to be hidden.
  • Reflective EXE: The EXE file executes from memory rather than disk.
  • Delay mechanism: The malware lays dormant for 14 days before connecting to command and control servers.

Mylobot puts a lot of effort into staying hidden.

The anti-sandboxing, anti-debugging, and anti-VM techniques attempt to stop the malware appearing in antimalware scans, as well as prevent researchers from isolating the malware on a virtual machine or sandboxed environment for analysis.

The reflective executable makes Mylobot even more undetectable as there is no direct disk activity for your antivirus or antimalware suite to analyze.

Mylobot’s Evasive Maneuvers

According to what Nipravsky told Threatpost:

“The structure of the code itself is very complex—it’s a multi-threaded malware where each thread is in charge on implementing different capability of the malware.”


“The malware contains three layers of files, nested on each other, where each layer is in charge of executing the next one. The last layer is using [the Reflective EXE] technique.”

Along with the anti-analysis and anti-detection techniques, Mylobot can waits up to 14 days before attempting to establish communications with its command and control servers.

When Mylobot does establish a connection, the botnet shuts down Windows Defender and Windows Update, as well as closing a number of Windows Firewall ports.

Mylobot Seeks and Kills Other Malware Types

One of the most interesting—and rare—functions of the Mylobot malware is its search-and-destroy function.

Unlike other malware, Mylobot comes ready to eradicate other types of malware already on the target system. Mylobot scans the system Application Data folders for common malware files and folders, and if it finds a certain file or process, Mylobot terminates it.

Nipravsky believes there are a couple of reasons for this rare and hyper-aggressive malware activity. The rise of ransomware-as-a-service and other pay-to-play malware variants have significantly lowered the barrier to becoming a cyber-criminal. Some full-featured ransomware and exploit kits are available for free as part of affiliate programs (specifically, the Saturn ransomware).

Furthermore, the price to hire a powerful botnet can drop extremely low with a large enough order while others have advertised day rates for only tens of dollars.

The ease of access is encroaching into established cyber-crime activity.

“Attackers compete against each other to have as many ‘zombie computers’ as possible in order to increase their value when proposing services to other attackers, especially when it comes to spreading infrastructures.”

As a result, there is a sort of dramatic escalation of malware functionality to spread further, last longer, and reap more profitable rewards.

What Does Mylobot Do, Exactly?

Mylobot’s main functionality is exposing control of the system to the attacker. From there, the attacker has access to online credentials, system files, and much more.

The real damage is ultimately the decision of whoever is attacking the system. Malware with capabilities of Mylobot can easily lead to massively damage, especially when found in the enterprise environment.

Mylobot also has links to other botnets, including DorkBot, Ramdo, and the infamous Locky network. If Mylobot is acting as a conduit for other botnets and malware types, anyone who falls foul of this malware is going to have a really bad time:

“The fact that the botnet behaves as a gate for additional payloads, puts the enterprise in risk for leak of sensitive data as well, following the risk of keyloggers / banking trojans installations.”

How Do You Stay Safe Against Mylobot?

Well, here’s the bad news: Mylobot is thought to have been actively infecting systems for over two years at this point. Its command-and-control servers first saw use in November 2015.

So, Mylobot appears to have dodged all other security researchers and firms for quite some time before running into Deep Instinct’s deep learning cyber research tools.

Unfortunately, your regular antivirus and antimalware tools aren’t going to pick something like Mylobot up—for the time being, at least.

Now that there is a Mylobot sample, more security firms and researchers can use the signature. In turn, they’ll keep much closer tabs on Mylobot.

via What Is Mylobot Malware? How It Works and What to Do About It

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.