The botnet is also capable of DDoS and ransomware attacks

Nov 16, 2018 00:02 GMT  ·  By

The very dangerous Mylobot botnet known for acting as a gateway for second stage malware payloads has been detected by CenturyLink while downloading the Khalesi data-stealing Trojan on compromised machines.

"What makes Mylobot so dangerous is its ability to download and execute any other type of payload the attacker wants, and we now have evidence one of those payloads is Khalesi," stated Mike Benjamin, CenturyLink's Head of Threat Research Labs.

According to CenturyLink Threat Research Labs' analysis, roughly 18,000 different IP addresses were observed while communicating with Mylobot command-and-control (C&C) servers, with most of them coming from Iraq, Iran, Argentina, Russia, Vietnam, China, India, Saudi Arabia, Chile, and Egypt.

Enterprises can detect Mylobot "through the up to 60,000 domain name system (DNS) queries infected hosts perform while attempting to contact" C&C servers.

"We found, that while day-to-day sizes may vary due to normal botnet maintenance and data sampling, the botnet’s total size has remained relatively consistent throughout the year," also stated CenturyLink Threat Research Labs.

Deep Instinct's research team initially discovered Mylobot in June 2018 as a highly sophisticated piece of malware which bundles multi-layer evasion and anti-analysis routines designed to make it as stealthy as possible.

Heatmap of IPs that communicated with Mylobot C2s on the C2 port
Heatmap of IPs that communicated with Mylobot C2s on the C2 port

Mylobot also hunts down other malware and shuts down Windows Defender

Moreover, as detailed by Deep Instinct in their report, Mylobot uses anti-VM, anti-sandbox, anti-debugging, and  Reflective EXE (running EXE binaries straight from memory) techniques.

Furthermore to make itself even harder to detect, once it infiltrates a computing system Mylobot will not contact its C&C servers for 14 days.

Mylobot is also known for being a malware killer, automatically starting to hunt for other malware running on the compromised machines by terminating them and deleting them from the system.

Additionally, it is capable of completely shutting down Microsoft's Windows Defender anti-malware component and the Windows Update service, as well as making sure that it also blocks a number of ports through the Windows firewall.

Although Mylobot has just gotten information stealing abilities, it has a lot more dangerous capabilities given that it can drop ransomware, keyloggers, and banking trojans at any given moment.

Even more, seeing that its masters can use it to send any payload on to compromised devices, only their imagination can limit the amount of damage they can inflict on enterprises or individuals.

Photo Gallery (3 Images)

Mylobot heatmap
Heatmap of IPs that communicated with Mylobot C2s on the C2 portTop 10 countries observed communicating with the C2 on the C2 port
Open gallery