Trojan.Win32.Mylobot

General explanation

Type: Trojan

Degree of description: high

Prevalence: average

Names of the malware:

  • Trojan.Win32.Mylobot.prc (Padvish)
  • Trojan.Win32.Mylobot.proc (Padvish)
  • Trojan.Win32.Mylobot.af (Padvish)
  • Trojan.Win32.Mylobot. (Padvish)
  • Trojan.Win32.Mylobot.h (Padvish)
  • Trojan.Win32.Mylobot.ap (Padvish)
  • Trojan.Win32.Khalesi.h (Padvish)
  • TSPY_MYLOBOT.A (TrendMicro)
  • HEUR:Trojan.Win32.Khalesi.gen (Kaspersky)
  • VirTool:Win32/CeeInject.ANO!bit (Microsoft)
  • Trojan:Win32/CryptInject ( Microsoft)

What is a Trojan?

Trojans are malware types that introduced themselves as healthy and legal software and act similarly to useful and applicable software but cause many destructions to the system when executing. The downloaded software from the internet, placing HTML text, attaching it to an email, etc. are ways that trojans use to enter the system. Contrary to viruses and computer worms, Trojans are not reproducible.

What is Mylobot malware?

Mylobot is a complex and dangerous Trojan that can control the victim machine and receive instructions and execute them by connecting to its server. One of the viewed actions is downloading other malware and executing them on the victim’s system. This malware tries to detect the analysis environment by implementing different techniques and refuses to run itself if it detects the environment. Also, it will disable the OS system and Windows Defender updates.

Technical explanation

Signs of infection

  • existence of the following file and the Run registry key for it ( the directory and files names in the following phrase made based on Mac address):

%AppData%\name_1\name_2.exe

  • Deactivation of Windows update
  • Internet connection to domains contains %s, m%d pattern which d% is an integer among 1-42.
  • The following Firewall laws exist:
    • rule name="blockport 2900" dir=out action=block protocol=TCP remoteport=2900
    • rule name="blockport 1100" dir=out action=block protocol=TCP remoteport=1100
    • rule name="blockport 2200" dir=out action=block protocol=TCP remoteport=2200
    • rule name="blockport 3300" dir=out action=block protocol=TCP remoteport=3300
    • rule name="blockport 4400" dir=out action=block protocol=TCP remoteport=4400
    • rule name="blockport 5500" dir=out action=block protocol=TCP remoteport=5500
    • rule name="blockport 6600" dir=out action=block protocol=TCP remoteport=6600
    • rule name="blockport 7700" dir=out action=block protocol=TCP remoteport=7700
    • rule name="blockport 8800" dir=out action=block protocol=TCP remoteport=8800
    • rule name="blockport 9900" dir=out action=block protocol=TCP remoteport=9900

Performance Description

This malware runs in the format of multiple micro-processes, and in each process, a slightly different performance perform:

Executing Debugger detection technique

If the program is in debug mode, the malware will detect the debugger by performing different techniques, so debugging the program will face a problem.

Executing anti-sandbox and anti-vm

Malware tries to detect the current environment as any environment except analysis by applying techniques. If by any of its techniques, it detects that the environment is an analysis environment it will end its execution.

Decoding rsrc part and executing it

The malware decodes the rsrc part of the executing PE file in the process leading to a new PE. In this stage, the malware checks whether the executing module in the current process is on the %AppData% path. Otherwise, it will copy a version of the malware in the %AppData% path and into the folder, it has created. The name of the file and folder build according to the Mac address of the victim’s system. Then the new file will be run and will finish its own process.

Otherwise, it will execute one of the system files (generally notepad.exe, cmd.exe, or conhost.exe files) and execute the resulting PE by injecting it into the suspending system process.

The new process (e.g. cmd.exe) creates a few threads, and in each one, it will follow the following explained different performances. Additionally, it will run the notepad.exe file in the format of one of its micro-processes and injects its code into it. It will execute instructions to deactivate Windows Defender, Windows OS update, and block some of its system external connections if it has the necessary access. Otherwise, this process will be executed as a micro-process of cmd.exe.

Deactivating Windows Defender and Windows Update and blocking a set of network connections

At first, the malware stops the Windows update service and then deactivates the Windows update settings by the following instructions:

"C:\Windows\System32\cmd.exe" /C sc stop wuauserv

"C:\Windows\System32\cmd.exe" sc config wuauserv start= disabled

Also, by setting the following registry key, it will deactivate the windows defender:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

SubKey: DisableAntiSpyware

Value: 0x1

Eventually, it will block some of the external connections by adjusting the following Firewall instructions:

  • netsh advfirewall firewall add rule name="blockport 2900" dir=out action=block protocol=TCP remoteport=2900
  • netsh advfirewall firewall add rule name="blockport 1100" dir=out action=block protocol=TCP remoteport=1100
  • netsh advfirewall firewall add rule name="blockport 2200" dir=out action=block protocol=TCP remoteport=2200
  • netsh advfirewall firewall add rule name="blockport 3300" dir=out action=block protocol=TCP remoteport=3300
  • netsh advfirewall firewall add rule name="blockport 4400" dir=out action=block protocol=TCP remoteport=4400
  • netsh advfirewall firewall add rule name="blockport 5500" dir=out action=block protocol=TCP remoteport=5500
  • netsh advfirewall firewall add rule name="blockport 6600" dir=out action=block protocol=TCP remoteport=6600
  • netsh advfirewall firewall add rule name="blockport 7700" dir=out action=block protocol=TCP remoteport=7700
  • netsh advfirewall firewall add rule name="blockport 8800" dir=out action=block protocol=TCP remoteport=8800
  • netsh advfirewall firewall add rule name="blockport 9900" dir=out action=block protocol=TCP remoteport=9900

Removing the file and the folder 

The malware looks for execution files with .exe extensions in the following directories, and if there will be a file, it checks the file is executing by obtaining the executing processes list on the system. So it will finish the execution of the process corresponding to the file. Then, it creates a copy of the detected files in the following directories and adds “.local.backup” to the end of its name, and then removes it.

  • %AppData%
  • %AppData%\WindowsAudio
  • %AppData%\Windows Live
  • %AppData%\Update
  • %AppData%\Adobe
  • %AppData%\WindowsUpdate
  • %AppData%\Identities
  • %AppData%\Microsoft
  • %AppData%\Microsoft\Windows
  • %AppData%\Microsoft\Windows\Cookies
  • %AppData%\Microsoft\Windows\DNTException
  • %AppData%\Microsoft\Windows\DNTException\Low
  • %AppData%\Microsoft\Windows\IECompatCache
  • %AppData%\Microsoft\Windows\IECompatCache\Low
  • %AppData%\Microsoft\Windows\IECompatUACache
  • %AppData%\Microsoft\Windows\IEDownloadHistory
  • %AppData%\Microsoft\Windows\Themes
  • C:\Recycler

Also, it will change the name of the two following folders (if existed) (it will add “local.backup” to the end of the file name) and then remove it.

  • %AppData%\v07
  • %AppData%\c731200

Creating DNS questionnaires to misguide the user 

This malware-in the format of a thread-will constantly create random domains and tries to attain their IP addresses. Being activated or deactivated by this server does not affect the procedure of running malware, and since it is done in an endless loop, the only purpose is to misguide the user.

Registering the malware execution time in the system

At its first execution, the malware obtains the system time, and after 12 days (i.e. the 30th day of the month), it begins to connect the TCP with its server. The malware obtains its server addresses by one of the following patterns, domain, and coded hard port numbers in its PE.

  • M%d%.%sf
  • X%d%.%s

%d is an integer between 1-42, and s% is the coded Hard domain in the Malware PE. For each connection, it used the port number corresponding with the used domain in this pattern. The number of coded Hard servers of this malware is very high ( more than 1000 servers), and you can view some of them in the following:

  • m21[.]wloqtmt[.]biz
  • m19[.]fywkuzp[.]ru
  • m41[.]ilquige[.]com
  • m30[.]dqagyks[.]com

Keeping the maintenance of the malware

The malware will add its file path to the “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” registry key. Also, it will recall the RegNotifyChangeKeyValue function to be aware of changing features or registry key contents. If it finds out that this key is removed or has been changed, it will create a new registry key in the same path to execute its files.

How to deal with it and disinfect the system

Padvish Antivirus detects this malware and removes it from the system. To prevent entering these types of malware into the system, it is recommended to avoid clicking on suspicious links and scan attached files before execution. Also, always update your OS and Antivirus

Follow these ways if your system is infected by Mylobot malware:

  1. The adjusted Firewall rules removed
  2. Window Defender and system OS update settings are being activated.

  1 person found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>