MyloBot malware targets Windows systems worldwide

SISA Weekly Threat Watch - 27 February 2023

Cyber attackers’ use of novel strategies to exploit zero-day vulnerabilities over the past week has demonstrated how quickly their technological capabilities are developing. Threat actors seemed motivated and skilled enough to evade detection, moving from using information stealing malware that steals sensitive data to building DDoS botnets that target IoT devices.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Russian hackers using Graphiron malware to steal data from Ukraine

A new information-stealing malware, Graphiron, was seen being used by a threat actor with links to Russia in cyberattacks directed against Ukraine. The malware, which was developed using Go version 1.18, can gather a variety of data from the infected computer, including screenshots, files, system information, and login credentials. A better version of the group’s private backdoor, GraphSteel, is used in the malware. Additional features enable it to execute shell commands, collect system data, files, login credentials, screenshots, and SSH keys.

The infection chains have a downloader (Downloader.Graphiron) and a payload in two phases (Infostealer.Graphiron). The downloader is in charge of obtaining the Infostealer.Graphiron-containing encrypted payload from a distant server. The payload can collect the hostname, system information, user information, as well as steal stored passwords and data from Firefox, Thunderbird, and PuTTY.

2. CISA warns of Windows and iOS bugs exploited as zero-days

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its list of defects that have been utilized in the field by include four security flaws that have been exploited in attacks as zero-days. These include vulnerabilities that can impact Microsoft products, graphics driver and Common Log File System driver (CVE-2023-21823 and CVE-2023-23376) or enable the circumvention of Microsoft Office macro security measures (CVE-2023-21715) to send malicious payloads via untrusted files.

CVE-2023-23529 affects WebKit and has the potential to execute arbitrary code. It affects a wide variety of devices, including all iPad Pro models, Macs running macOS Venture, and iPhone 8 and later. All these have subsequently been fixed in Microsoft’s most recent Patch Tuesday. It is advised to apply appropriate patches or mitigations provided by vendors to vulnerable systems immediately after required testing. Additionally, implement proper network segmentation, principle of ‘Least Privilege’ to all systems and services and run all software as a non-privileged user, to diminish the effects of a successful attack.

3. Hackers backdoor Microsoft IIS Servers with new Frebniis malware

On Microsoft’s Internet Information Services (IIS), hackers are distributing a brand-new piece of malware called “Frebniis” that secretly carries out instructions received via web requests. It makes use of the Microsoft IIS Failed Request Event Buffering (FREB) functionality to create a backdoor. Among other things, FREB gathers data on requests including the origination IP address, ports, and HTTP headers. Administrators use it to diagnose issues with HTTP status and request processing.

Malicious code is injected into a DLL file by the malware, enabling it to track all HTTP POST requests going through the IIS Server and identify certain commands coming from the attacker. The malware quietly and automatically inserts a .NET backdoor onto the system that allows C# code execution and proxying. A Base64-encoded string is passed as the second parameter, directing the malware to use the compromised IIS to interact with and carry out commands on other systems in the network. As a result, the attacker gets access to internal network resources that are not publicly available online.

4. MyloBot botnet spreading rapidly worldwide

MyloBot is a malware that targets Windows systems. It first appeared in 2017 and can transform the infected system into a proxy. The analysis of MyloBot’s infrastructure has found connections to a residential proxy service called BHProxies, indicating that the compromised machines are being used by the latter. MyloBot’s ability to download and execute any type of payload after it infects a host, makes it a dangerous bot.

MyloBot employs a multi-stage sequence to unpack and launch the bot malware. Remarkably, it sits idle for 14 days before attempting to contact the command-and-control (C2) server to sidestep detection. Then, it receives instructions from the C2 where it transforms the infected computer into a proxy. The infected machine is then able to handle many connections and relay traffic sent through the command-and-control server. It is recommended to Implement an advanced botnet detection solution which can perform real-time behavioral analysis to detect botnet traffic and block all botnet activities.

5. New Mirai malware variant infects Linux devices to build DDoS botnet

13 vulnerabilities in Linux-based servers and Internet of Things (IoT) devices are the focus of a new Mirai botnet variant known as “V3G4”, which is used in DDoS (distributed denial of service) attacks. The malware spreads by brute-forcing default or shoddy telnet/SSH credentials and taking use of hardcoded vulnerabilities to execute remote code on the victim machines.

V3G4 primarily targets servers, IP cameras, and other internet connected IoT devices. When devices are infected, hackers utilize them as part of their botnet network to execute DDoS attacks or engage in other harmful activities. They either employ brute-force attacks for this purpose or search out other vulnerabilities to spread the infection. The malware launches the wget and curl utilities to download and run Mirai bot clients after a successful exploit. It is recommended to keep the software and firmware updated, use strong passwords, and disable services and protocols that are not in use, to safeguard IoT devices from V3G4 and other botnet infections.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider