What is the Issue?
Researchers have discovered a New Windows malware whose origin traces back to the ‘Dark Web.’ The malware, dubbed Mylobot, pulls together a variety of strategies and techniques to gain a foothold on its targets and remain undiscovered.
Why is this noteworthy?
Mylobot malware can turn a PC into a robot network, also known as a botnet. A botnet is a collection of internet-connected devices, which may include PCs, servers, mobile devices and Internet-of-Things (IoT) devices that are infected and controlled by a common type of malware. Users are often unaware of a botnet infecting their system. Botnets can be used to perform distributed denial-of-service attacks (DDoS), steal data, send spam, and allow access to devices and connections across the network.
What is the exposure or risk?
The malware’s first step is to shut down the system’s security. This includes shutting down Windows Updates and Windows Defender and blocking additional firewall ports. Mylobot also has the ability to take down competing malware that it may find on a target’s system or network.
The sophistication of the botnet created by Mylobot is likely due to it being designed to generate money for hackers and people who lurk on the Dark Web. With the control an attacker has through Mylobot, delivering additional payloads such as DDoS attacks, delivering banking Trojans, powering ransomware campaigns, and keylogging all become risks to the enterprise. Mylobot malware also exhibits a 14-day ‘hibernation’ after entering into a system so as to help it become embedded within the system. This delay in connecting with the Command and Control servers enables the malware to avoid detection.
What are the recommendations?
Be extra vigilant to downloads and background processes running on your PC. We recommend following best practices in protecting your company’s information and information systems, which includes following your policies and procedures for system updating and patching, system hardening, and regular scanning to detect vulnerabilities and indicators of compromise.
If you have any questions, please contact our Security Operations Center.