The newly discovered Mylobot botnet has shown new levels of complexity, including a wide variety of tools and evasion techniques. How does this botnet differ from a typical botnet and what type of threat does it pose?
Botnets need to keep up with the Joneses like everyone else and must keep evolving to stay ahead of enterprise defenses. Luckily for them, enterprises are often slow to adapt to evolving threats.
While many botnets have used the same steps for infection and persistence for many years, they have made changes to their processes to help incorporate new attack techniques. And tracking attackers’ advancements and using enterprise security tools to detect differences can help companies identify how their defenses need to change.
Deep Instinct Ltd. blogged about a highly complicated botnet — dubbed Mylobot — that incorporates several new techniques, including improved evasion techniques and command-and-control (C&C) connections. Deep Instinct reported that the Mylobot botnet attack uses the dark web and C&C servers from other malware campaigns to establish its C&C connections.
The Mylobot malware differs from a typical botnet in terms of its use of code injection, process hollowing and reflective EXE. It also includes common malware functionality, such as anti-VM, anti-sandbox and anti-debugging techniques, including the use of an encrypted resource file. While code injection, process hollowing and reflective EXE are not new techniques, they are not typically seen in malware.
Mylobot also has the ability to delay contacting the C&C network for 14 days in order to minimize the chance that the download and execution on the endpoint will be correlated with the C&C connection.
Even though it’s difficult to assess the risk of Mylobot, checking to see how enterprise endpoint antimalware tools handle its advanced behaviors can help enterprises be better prepared.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Based Blockchain Network