Researchers at cybersecurity firm Deep Instinct uncovered a ‘highly sophisticated, never seen before botnet’ using its proprietary deep learning techniques, dubbed MyloBot.
Deep Instinct specializes in harnessing the predictive capabilities of deep learning to protect against some of the “most evasive unknown malware”. Sometime last week, the company noticed “a highly complicated botnet” in one of its client’s live environment and devices that employs evasion techniques “never seen in the wild before”.
A contraction of the words “robot” and “network”, a botnet represents a number of compromised internet-connected devices, known as bots. A bot is created when a device is infected by malicious software that cedes control to the ‘owner’.
The owner of the botnet can control it using something referred to a command and control software. A botnet allows the owner to access the infected device and its connection.
MyloBot is capable of three different layers of evasion techniques, the combination and complexity of which have never been seen in the wild before.
Deep Instinct was also able to trace the command and control server back to the dark web, a shady part of the internet infamous for illegal activities. What’s interesting about MyloBot is the fact that the malware seeks and terminates other malware found on an infected bot.
It scans folders where malware typically live, terminates and deletes any running files it can find there. It also purposefully seeks out other known botnets and takes them out.
This unique behavior is perhaps motivated by money, Deep Instinct points out. Typically, a botnet’s worth is proportionate to the number of bots it can command. MyloBot is literally trying to eliminating the competition.
Once installed, the botnet shuts down Windows Defender and Windows Update, which allows it to operate with more freedom. It also lays dormant for the first 14 days before accessing its command and control servers in order to avoid detection.
Although botnets are typically used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, or install ransomware, theoretically, they can be used to perform anything.
A botnet’s main function is to enable the owner to take control of the user’s system. It behaves as a gate to download additional payloads from the command and control servers. The type of payload determines the damage. It can install ransomware, banking trojans, steal or delete sensitive data just to name a few instances.
The malware isn’t widespread yet. And it’s still unclear who’s behind it. What we do know though is that, looking at the complexity of the scheme, this is definitely not the work of amateurs.