Sextortion Emails Demand $2,732 in Bitcoin From New Variant of MyloBot Malware

Sextortion Emails Demand $2,732 in Bitcoin From New Variant of MyloBot Malware

A new variant of the MyloBot malware has been discovered to distribute harmful payloads that are used to send sextortion emails demanding $2,732 in digital currency from victims. MyloBot, which was initially founded in 2018, is said to feature various advanced anti-debugging capabilities and propagation strategies for entangling infected devices in a botnet, as well as removing traces of competing malware.

It used a 14-day delay before contacting its command-and-control servers and the ability to run malicious programs straight from memory to avoid detection and stay under the radar. To get around process-based defenses, MyloBot uses process hollowing, in which the attack code is injected into a suspended and hollowed process. This is accomplished by unmapping the live process’ memory and replacing it with the arbitrary code to be run. In this instance, a decoded resource file.

“The second stage executable then creates a new folder under C:\ProgramData,”  said the Minerva Labs researcher Natalie Zargarov in a report. “It looks for svchost.exe under a system directory and executes it in suspended state. Using an APC injection technique, it injects itself into the spawned svchost.exe process.”

APC injection, like process hollowing, is a process injection method that uses the asynchronous procedure call (APC) queue to inject malicious code into an existing victim process. The second stage of the infection is gaining a footing on the compromised host and exploiting it as a stepping stone to establish connections with a remote server to retrieve and execute a payload, which then decodes and runs the final-stage malware.

This malware is meant to take advantage of the endpoint to send extortion messages referencing the recipients’ online activities, such as accessing porn sites, and threatening to release a video reportedly taken by hacking into their computers’ webcams. According to Minerva Labs’ research of the malware, it can download other files, implying that the threat actor has left a backdoor for future attacks.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: