MikuBot Steals Sensitive Data

A new malware bot was discovered by the experts at Cyble Research Labs in a cyber-crime forum featuring the name “MikuBot.” 

Mikubot is mainly designed to steal sensitive data or to launch hidden VNC sessions with the purpose of stealing it. Not only that, but it also allows the threat actors to perform the following actions:-

  • Remotely access the machine of the victim
  • The spread of infection through USB devices
  • Other malware programs can be downloaded from the Internet
  • Other malware could also be executed

C++ is the language in which the bot has been written, and it is designed to work on all versions of the Windows operating system. There is no dependency on any third-party applications for the malware to run, and it acts as a standalone application. It should also be noted that the threat actors provide MikuBot with:- 

  • Software support is provided in full
  • Advisory services
  • New features
  • Crypts
  • Responsive administration

TTPs Employed

In order to avoid being detected by antivirus products, the malware employs the following methods:-

  • Encrypted strings
  • Dynamic API functions
  • Unique object names
  • Anti-emulation methods & tricks

The price at which the threat actors are selling MikuBot with Panel, as listed below, for a limited time:-

  • $1300 (1.5 months)
  • $2200 (3 months) 

Technical Analysis

The malware file has the encrypted payload in its RCData section, which is located in the resource section of the malware file. When the malware file is executed, it accesses the resource section and retrieves the encrypted payload from there.

Following this, the malware loads the UPX payload into the memory of the system and executes it. Once this code is unpacked in memory, the malware creates a mutex to protect the code from being modified.

In order to execute this malware every 10 minutes, the malware creates a task-scheduler entry with the name of this mutex and uses it to execute the malware each time.

By stealing sensitive information from the victim, the malware will send it to the command and control server that hosts the malware.

Financial fraud is often carried out by cybercriminals with the assistance of malware purchased from underground forums and add-on services that do not require special skills. 

Individuals and organizations are more vulnerable to cyber-attacks and financial fraud due to the sale of malware bots and services. At the moment, MikuBot will have limited functionality due to the threat actors who are heavily involved in the project. 

We can expect MikuBot to become more sophisticated in the future, as they are constantly improving their methods and evolving their technology in the meantime.

Recommendations

Here below, we have mentioned all the recommendations:-

  • Don’t download files from sources that you don’t trust.
  • At regular intervals, you should clear your browsing history and reset your password.  
  • Make sure that your computer, mobile device, and all devices connected to the Internet are set up to automatically update their software. 
  • Ensure that you use an anti-virus and internet security product that has a good reputation.
  • Make sure you verify the authenticity of email attachments and links before opening them in case they are untrusted.  
  • In order for employees to be protected from threats such as phishing and unfamiliar URLs, employees need to be educated on the subject. 
  • Make sure to block URLs that could be used to distribute malware, for instance, torrents, warez files, etc. 
  • Keep an eye on the beacons at the network level so that malware or Trojans cannot leak data from them. 
  • Ensure that all employees’ computers are equipped with a Data Loss Prevention (DLP) solution.

Rise of Remote Workers: A Checklist for Securing Your Network – Download Free White paper

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.