Security experts have discovered a new campaign that involves the Mylobot botnet delivering the Khalesi malware. Mybolot belongs to a sophisticated malware family and is classified as a downloader.
One of the reasons behind Mylobot being considered highly dangerous is its ability to download any kind of malicious payload onto an infected device. Meanwhile, Khalesi is considered to be one of the fastest growing malware variants of the year. According to security researchers at Kaspersky Labs, Khaleesi malware has been the third most downloaded trojan in 2018 so far.
Mylobot is considered to be a sophisticated downloader that uses advances anti-analysis techniques to evade detection. According to security researchers at CenturyLink Threat Research Labs, Mylobot waits for 14 days on an infected system before contacting its C2.
“This delaying technique is used to wait out the sandbox environment to avoid detection. When it attempts to contact the C2, the malware uses a set of 1,404 hard-coded domain name and port pairs,” CenturyLink researchers said in a report.
The researchers also found around 18,000 unique IP addresses connecting with Mylobot’s C2. These IP addresses originated from Iraq, Iran, Argentina, Russia, Vietnam, China, India, Saudi Arabia, Chile, and Egypt.
“Through our analysis, it was important to understand if the botnet had shown any noticeable variation in size. We found, that while day-to-day sizes may vary due to normal botnet maintenance and data sampling, the botnet’s total size has remained relatively consistent throughout the year,” CenturyLink researchers added.
The new campaign serves as a reminder that botnet malware variants have been evolving and are currently being increasingly used by cybercriminals to escalate their attacks.
Publisher