Earlier today, researchers at cybersecurity firm Deep Instinct revealed the existence of a previously unknown Window’s malware with a level of complexity and sophistication “never seen in the wild before.” Named after one of the researcher’s dogs, “MyloBot” is a truly diabolical combination of a botnet (which create swarms of infected “zombie” computers used in DDoS attacks) and a generalized malware-delivery platform. MyloBot presents a major threat to all users of Windows PCs, and should be a serious concern for all users of desktop cryptocurrency wallets.
The researchers claim that MyloBot can “theoretically perform anything” on an infected machine, from relatively mundane malware activity like coordinating DDoS attacks and stealing user data to the installation of ransomware. But that’s just the tip of the iceberg.
One of the very first things MyloBot does upon execution is shut down Windows Defender and Windows Update processes, allowing the attacker to “take complete control of the user’s system” and opening a “gate for additional payloads.” The malware is also capable of “Reflective EXE” attacks, allowing MyloBot to run a range of malicious files directly from RAM, leaving no trace behind on the computer’s hard disks. The program is even capable of detecting and deleting other malware infections, covering its own tracks in the process. And if all that wasn’t bad enough, MyloBot is designed with a “delaying mechanism” that waits 14 days before it attempts to contact its command and control servers.
In other words, MyloBot can be used to deploy almost any known malware payload, and it’s almost impossible to detect until those exploits are launched. It can be used to steal virtually any kind of data, using techniques ranging from banking trojans to keyloggers, and it can definitely be used to steal cryptocurrency from a desktop wallet application. The malware is so cleverly designed that it has gone unnoticed for nearly three years, only being discovered through the use of Deep Instinct’s deep learning tools running in a live environment on one of their client’s infected machines.
The researchers told ZDNet that MyloBot may have been active as far back as 2015, and that all signs point to the malware being a well-funded operation. The botnet attempts to connect to 1,404 unique domains, requiring “big resources” to register and maintain them. (The researchers also noted that only one of those domains is still active.) The malware doesn’t appear to be widespread, although that could change as more data about MyloBot becomes available.
It hasn’t been a great week for Windows users. Earlier this week, researchers dropped a bombshell report about a new screenshot-grabbing malware, another major risk for users of online and desktop cryptocurrency wallets. If you want to keep your BTC, ETH, and other cryptocurrency tokens safe, consider moving to something more secure, like a tethered, air-gapped hardware wallet.