A new variant of the MyloBot malware has been discovered to distribute harmful payloads that are used to send sextortion emails demanding $2,732 in digital currency from victims. MyloBot, which was initially founded in 2018, is said to feature various advanced anti-debugging capabilities and propagation strategies for entangling infected devices in a botnet, as well as removing traces of competing malware.
It used a 14-day delay before contacting its command-and-control servers and the ability to run malicious programs straight from memory to avoid detection and stay under the radar. To get around process-based defenses, MyloBot uses process hollowing, in which the attack code is injected into a suspended and hollowed process. This is accomplished by unmapping the live process’ memory and replacing it with the arbitrary code to be run. In this instance, a decoded resource file.
“The second stage executable then creates a new folder under C:\ProgramData,” said the Minerva Labs researcher Natalie Zargarov in a report. “It looks for svchost.exe under a system directory and executes it in suspended state. Using an APC injection technique, it injects itself into the spawned svchost.exe process.”
APC injection, like process hollowing, is a process injection method that uses the asynchronous procedure call (APC) queue to inject malicious code into an existing victim process. The second stage of the infection is gaining a footing on the compromised host and exploiting it as a stepping stone to establish connections with a remote server to retrieve and execute a payload, which then decodes and runs the final-stage malware.
This malware is meant to take advantage of the endpoint to send extortion messages referencing the recipients’ online activities, such as accessing porn sites, and threatening to release a video reportedly taken by hacking into their computers’ webcams. According to Minerva Labs’ research of the malware, it can download other files, implying that the threat actor has left a backdoor for future attacks.