Home>Blog>The Hacker News Headlines>New MyloBot Malware Variant Sends Sextortion Emails Demanding $2,732 in Bitcoin
The Hacker News Headlines

New MyloBot Malware Variant Sends Sextortion Emails Demanding $2,732 in Bitcoin

Sextortion Emails

A new version of the MyloBot malware has been observed to deploy
malicious payloads that are being used to send sextortion emails
demanding victims to pay $2,732 in digital currency.

MyloBot[1], first detected in 2018,
is known to feature[2]
an array of sophisticated anti-debugging capabilities and
propagation techniques to rope infected machines into a botnet, not
to mention remove traces of other competing malware from the
systems.

Chief among its methods to evade detection and stay under the
radar included a delay of 14 days before accessing its
command-and-control servers and the facility to execute malicious
binaries directly from memory.

Automatic GitHub Backups

MyloBot also leverages a technique called process hollowing[3], wherein the attack code
is injected into a suspended and hollowed process in order to
circumvent process-based defenses. This is achieved by unmapping
the memory allocated to the live process and replacing it with the
arbitrary code to be executed, in this case a decoded resource
file.

“The second stage executable then creates a new folder under
C:\ProgramData[4],” Minerva Labs
researcher Natalie Zargarov said[5]
in a report. “It looks for svchost.exe[6]
under a system directory and executes it in suspended state. Using
an APC injection technique, it injects itself into the spawned
svchost.exe process.”

Sextortion Emails

APC injection[7], similar to process
hollowing, is also a process injection technique that enables the
insertion of malicious code into an existing victim process via the
asynchronous procedure call (APC[8]) queue.

Prevent Data Breaches

The next phase of the infection involves establishing
persistence on the compromised host, using the foothold as a
stepping stone to establish communications with a remote server to
fetch and execute a payload that, in turn, decodes and runs the
final-stage malware.

This malware is designed to abuse the endpoint to send extortion
messages alluding to the recipients’ online behaviors, such as
visiting porn sites, and threatening to leak a video that was
allegedly recorded by breaking into their computers’ webcam.

Minerva Labs’ analysis of the malware also reveals its ability
to download additional files, suggesting that the threat actor left
behind a backdoor for carrying out further attacks.

“This threat actor went through a lot of trouble to drop the
malware and keep it undetected, only to use it as an extortion mail
sender,” Zargarov said. “Botnets are dangerous exactly because of
this unknown upcoming threat. It could just as easily drop and
execute ransomware, spyware, worms, or other threats on all
infected endpoints.”

References

  1. ^
    MyloBot
    (malpedia.caad.fkie.fraunhofer.de)
  2. ^
    feature
    (www.trendmicro.com)
  3. ^
    process
    hollowing     (attack.mitre.org)
  4. ^
    C:\ProgramData
    (docs.microsoft.com)
  5. ^
    said
    (blog.minerva-labs.com)
  6. ^
    svchost.exe
    (en.wikipedia.org)
  7. ^
    APC
    injection     (attack.mitre.org)
  8. ^
    APC
    (en.wikipedia.org)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.