The very dangerous Mylobot botnet known for acting as a gateway for second stage malware payloads has been detected by CenturyLink while downloading the Khalesi data-stealing Trojan on compromised machines.
"What makes Mylobot so dangerous is its ability to download and execute any other type of payload the attacker wants, and we now have evidence one of those payloads is Khalesi," stated Mike Benjamin, CenturyLink's Head of Threat Research Labs.
According to CenturyLink Threat Research Labs' analysis, roughly 18,000 different IP addresses were observed while communicating with Mylobot command-and-control (C&C) servers, with most of them coming from Iraq, Iran, Argentina, Russia, Vietnam, China, India, Saudi Arabia, Chile, and Egypt.
Enterprises can detect Mylobot "through the up to 60,000 domain name system (DNS) queries infected hosts perform while attempting to contact" C&C servers.
"We found, that while day-to-day sizes may vary due to normal botnet maintenance and data sampling, the botnet’s total size has remained relatively consistent throughout the year," also stated CenturyLink Threat Research Labs.
Deep Instinct's research team initially discovered Mylobot in June 2018 as a highly sophisticated piece of malware which bundles multi-layer evasion and anti-analysis routines designed to make it as stealthy as possible.
Mylobot also hunts down other malware and shuts down Windows Defender
Moreover, as detailed by Deep Instinct in their report, Mylobot uses anti-VM, anti-sandbox, anti-debugging, and Reflective EXE (running EXE binaries straight from memory) techniques.
Furthermore to make itself even harder to detect, once it infiltrates a computing system Mylobot will not contact its C&C servers for 14 days.
Mylobot is also known for being a malware killer, automatically starting to hunt for other malware running on the compromised machines by terminating them and deleting them from the system.
Additionally, it is capable of completely shutting down Microsoft's Windows Defender anti-malware component and the Windows Update service, as well as making sure that it also blocks a number of ports through the Windows firewall.
Although Mylobot has just gotten information stealing abilities, it has a lot more dangerous capabilities given that it can drop ransomware, keyloggers, and banking trojans at any given moment.
Even more, seeing that its masters can use it to send any payload on to compromised devices, only their imagination can limit the amount of damage they can inflict on enterprises or individuals.