Mylobot is a botnet malware, which infiltrates the Dark Web. It shows a high level of complexity based on evasion techniques. In terms of function, Mylobot can be used to download any payload, be it crypto mining, ransomware, banking Trojans, spyware, or other malware.
- Anti-virtual (VM) and anti-sandbox: The malware looks for its local environment and if it finds a virtual machine, it does not run.
- Anti-debugging: It generates behavioral alterations when viewing debugging programs.
- Code injection: To stop system processes.
- Suspended state: Generates a process in a suspended state and then replaces it with the one to be hidden.
- Delayed mechanism: It remains inactive for an average of 14 days to generate a connection with the command and control servers.
As soon as it is installed on the computer, Mylobot shuts down the Windows defender and Windows update processes, and at the same time blocks ports in the Windows firewall to be able to operate without being stopped. Additionally, when it detects the presence of any other malware, it proceeds to remove them to be the only attacker on the affected machine.
The expected damage depends on the payload that the attacker wants to distribute, this can be from ransomware, control of machine peripherals to generate extortion, activity monitoring, etc.
Indicators of Compromise (IOCs)
The top 10 countries where attacks originated are Iraq, Iran, Argentina, Russia, Vietnam, China, India, Saudi Arabia, Chile, and Egypt.
- Suspicious traffic from dangerous target IPs
- Access control by geolocation
*To have these detections, the client must have contracted SOC services.
For more information you can consult the following sources associated with the news: