New MyloBot Malware Variant - Sends Sextortion Emails Demands Bitcoin
Reading Time: 2 minutes

New MyloBot Malware variant sends sextortion emails demanding victims to pay $2,732 in Bitcoin. Originally the MyloBot made an appearance in 2018 and is known for its array of sophisticated anti-debugging capabilities and propagation techniques to transform infected machines into botnets. Additionally, it also removed traces of other competing malware from the systems.

The malware has some amazing capabilities to remain undercover and evade detections which included a delay of 14 days before being able to access its command and control servers.  Additionally, it was also able to execute malicious binaries directly from memory.

The process hollowing technique helped MyloBot leverage attack code when injected into a suspended and hollowed process. This managed to circumvent process-based defenses and achieved it by unmapping the memory allocated to the live process. Later replacing it with the arbitrary code to be executed, in this case, a decoded resource file.

According to Minerva Labs researcher Natalie Zargarov report, “The second stage executable then creates a new folder under C:\ProgramData. It looks for svchost.exe under a system directory and executes it in a suspended state. Using an APC injection technique, it injects itself into the spawned svchost.exe process.”

Like process hollowing, APC injection is a process injection technique that enables the insertion of malicious code into an existing victim process via the asynchronous procedure call (APC) queue.

In the second phase, it establishes persistence on the compromised host and gains a foothold, and uses it as a stepping stone to establishing communications with a remote server to fetch and execute a payload. Which enables it to decode and run the final-stage malware.

MyloBot malware is designed to abuse the endpoint to send extortion messages alluding to the recipients’ online behaviors. This includes visiting porn sites and threatening to leak a video that was allegedly recorded by breaking into their computers’ webcam.

According to Minerva Labs researchers, it also has the ability to download additional files, suggesting that the threat actor left behind a backdoor for carrying out further attacks.

Zargarov further added, “This threat actor went through a lot of trouble to drop the malware and keep it undetected, only to use it as an extortion mail sender. Botnets are dangerous exactly because of this unknown upcoming threat. It could just as easily drop and execute ransomware, spyware, worms, or other threats on all infected endpoints.”

Related Articles:
Hackers of GiveSendGo Breach Leak Names, Personal Details of Donors to ‘Freedom Convoy’ Protest
UK Local Authority Sets Aside £380k for Cyber-Attack Recovery
SIM Swapper Who Stole Money from Victims Bank Accounts Arrested by Spanish Police