MyloBot Botnet Spreading Rapidly Worldwide: Infecting Over 50,000 Devices Daily

A
sophisticated
botnet
known
as
MyloBot
has
compromised
thousands
of
systems,
with
most
of
them
located
in
India,
the
U.S.,
Indonesia,
and
Iran.

That’s
according
to
new
findings
from
BitSight,
which

said
it’s
“currently
seeing
more
than
50,000
unique
infected
systems
every
day,”
down
from
a
high
of
250,000
unique
hosts
in
2020.

Furthermore,
an
analysis
of
MyloBot’s
infrastructure
has
found
connections
to
a
residential
proxy
service
called
BHProxies,
indicating
that
the
compromised
machines
are
being
used
by
the
latter.

MyloBot,
which
emerged
on
the
threat
landscape
in
2017,
was

first
documented
by
Deep
Instinct
in
2018,
calling
out
its
anti-analysis
techniques
and
its
ability
to
function
as
a
downloader.

“What
makes
Mylobot
dangerous
is
its
ability
to
download
and
execute
any
type
of
payload
after
it
infects
a
host,”
Lumen’s
Black
Lotus
Labs

said
in
November
2018.
“This
means
at
any
time
it
could
download
any
other
type
of
malware
the
attacker
desires.”

Last
year,
the
malware
was
observed

sending
extortion
emails
from
hacked
endpoints
as
part
of
a
financially
motivated
campaign
seeking
over
$2,700
in
Bitcoin.

MyloBot
is
known
to
employ
a
multi-stage
sequence
to
unpack
and
launch
the
bot
malware.
Notably,
it
also
sits
idle
for
14
days
before
attempting
to
contact
the
command-and-control
(C2)
server
to
sidestep
detection.

The
primary
function
of
the
botnet
is
to
establish
a
connection
to
a
hard-coded
C2
domain
embedded
within
the
malware
and
await
further
instructions.

“When
Mylobot
receives
an
instruction
from
the
C2,
it
transforms
the
infected
computer
into
a
proxy,”
BitSight
said.
“The
infected
machine
will
be
able
to
handle
many
connections
and
relay
traffic
sent
through
the
command-and-control
server.”

Subsequent
iterations
of
the
malware
have
leveraged
a
downloader
that,
in
turn,
contacts
a
C2
server,
which
responds
with
an
encrypted
message
containing
a
link
to
retrieve
the
MyloBot
payload.

The
evidence
that
MyloBot
could
be
a
part
of
something
bigger
stems
from
a
reverse
DNS
lookup
of
one
of
the
IP
addresses
associated
with
the
botnet’s
C2
infrastructure
has
revealed
ties
to
a
domain
named
“clients.bhproxies[.]com.”

The
Boston-based
cybersecurity
company
said
it
began
sinkholing
MyloBot
in
November
2018
and
that
it
continues
to
see
the
botnet
evolve
over
time.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts