A new version of the MyloBot malware has been observed to deploy malicious payloads and are being used to send sextortion emails.
Mylobot was first discovered in 2018 and has now returned with a new malicious scheme for its victims. This new variant of the virus sends sextortion emails to the victims. The hackers behind it also ask victims to pay $2,732 in bitcoin.
In order to avoid detection and stay under the radar, mylobot uses a 14- day delay before contacting its command-and-control servers, and it runs programs straight from memory.
Mylobot uses process hollowing to get around process-based defenses, in which the attack code is injected into a hollowed and suspended process. It accomplishes this by unmapping the live process memory and replacing it with the code to be run.
The second stage executable then creates a new folder under C:\ProgramData,” Minerva Labs researcher Natalie Zargarov said in a report. “It looks for svchost.exe under a system directory and executes it in a suspended state. Using an APC injection technique, it injects itself into the spawned svchost.exe process.”
APC injection is a process injection method which uses an asynchronous procedure to inject malevolent code into an existing victim process.
At the second stage of the infection, the mylobot gains a footing on the compromised host exploits it as a stepping stone to establishing connections with a remote server to retrieve and execute a payload. It then decodes and runs the final stage malware.
The malware takes advantage of the endpoint and sends sextortion messages, referencing the recipient’s online activities such as visiting porn sites and threatening to leak a video that was recorded by breaking into their computers’ webcam. Minerva’s lab research shows that it can download files, leaving a back door for future attacks.
“This threat actor went through a lot of trouble to drop the malware and keep it undetected, only to use it as an extortion mail sender,” Zargarov said. “Botnets are dangerous exactly because of this unknown upcoming threat. It could just as easily drop and execute ransomware, spyware, worms, or other threats on all infected endpoints.”
