Cyble Research Labs uncovered MikuBot, a new Windows botnet that steals data and runs hidden HVNC sessions for remote access, with USB propagation and the ability to download and execute additional malware. The actor markets MikuBot with a panel, uses encryption and anti-detection tricks, and stores payloads in RCData that are decrypted and executed in memory.
Keypoints
- MikuBot is a standalone Windows botnet capable of stealing data and establishing hidden HVNC sessions for remote access.
- It propagates via USB and can download and execute other malware, acting as a loader/botnet platform.
- The malware targets Windows OS versions from Vista to 11 and is described as self-contained with full-ta support from the threat actor.
- Anti-analysis techniques include encrypted strings, dynamic API usage, unique object names, and anti-emulation methods to evade detection.
- Payloads are embedded in the RCData resource, decrypted, UPX-packed, loaded into memory, and executed with a mutex to prevent multiple instances.
- Persistence and startup mechanisms include a mutex, hidden self-copy in appdata, startup folder auto-launch, and a scheduled task that runs every 10 minutes.
- The C2/CC panel exposes bot lists, status, region, and allows creation of HVNC tasks, credential editing, and settings adjustments; beacons and data exfiltration are described.
MITRE Techniques
- [T1204] User Execution – The threat is initiated when the self-copy file is executed, launching PowerShell instances. ‘Upon executing the self-copy file, it launches two PowerShell instances by using the ShellExecuteW() API function with the following Base64 encoded commands.’
- [T1059] Command and Scripting Interpreter – The malware uses Base64-encoded commands executed via PowerShell to disable protections. ‘The first PowerShell instance executes the following commands to disable the Windows Defender’s controlled folder access and potentially unwanted application protection.’
- [T1497] Virtualization/Sandbox Evasion – The sample implements anti-emulation methods to evade analysis. ‘anti-emulation methods, and tricks to evade detection by antivirus products.’
- [T1027] Software Packing – The payload is UPX-packed and decrypted in memory from RCData. ‘The below figure shows the UPX packed payload decrypted from resource “RCData”.’
- [T1053] Scheduled Task/Job – A task-scheduler entry is created to run the malware at intervals. ‘creates a task-scheduler entry with this mutex name, which executes the malware every 10 minutes.’
- [T1547] Registry Run Keys / Startup Folder – Startup persistence via startup folder and hidden self-copy. ‘drops an internet shortcut file inside the start-up folder to establish auto-launch capability during system restarts.’
- [T1082] System Information Discovery – The malware checks for virtualization, debuggers, and antivirus tools. ‘detect the presence of a virtual environment, debugger and antivirus tools by using strings and DLL modules.’
- [T1005] Data from Local System – The malware collects sensitive information for exfiltration. ‘collects the victim’s sensitive information and sends it to the C&C server by using the below URL: 136.144.41[.]244/panel/gate.php?CBB536F13973261063369’
- [T1071] Application Layer Protocol – Exfiltration to C2 over HTTP/HTTPS. ‘sends the stolen information to its C&C server’ (via the given URL).
Indicators of Compromise
- [Hash] SHA256 – MikuBot exe: 9d98af7edc7ef9cc5dfc258f11b1795b3ecb74aa613cc14212102d75bbdc8c44, 73865a87ccbba39258ac07f9e0606df31aebc510aa2e7b437fc8a9fcdd1d55a3
- [URL] C2 – 136.144.41[.]244/panel/gate.php?CBB536F139732610633691
- [IP] 136.144.41.244 – C2 host address associated with the beacon
Read more: https://blog.cyble.com/2022/08/11/mikubot-spotted-in-the-wild/