Wednesday, May 22, 2024

MyloBot Botnet Attacks Thousands of Windows Systems and Turns Them as Proxy

BitSight recently detected MyloBot, an advanced botnet that has successfully infiltrated numerous computer systems, primarily situated in four countries:- 

  • India
  • The United States
  • Indonesia
  • Iran

The botnet has targeted and compromised thousands of systems, demonstrating its ability to operate on a massive scale across a wide geographical range.

According to BitSight report, there has been a significant decline in the number of unique infected systems per day, which has dropped to just over 50,000. This figure represents a noteworthy reduction from the peak observed in 2020 when the number of unique hosts infected by malware reached a high of 250,000.

An in-depth investigation into MyloBot’s infrastructure has uncovered ties to BHProxies, a residential proxy service. 

This discovery suggests that the botnet is exploiting the compromised computer systems for BHProxies’ purposes, potentially utilizing their computing power to carry out illicit activities.

Technical Analysis

First identified by Deep Instinct in 2018, MyloBot is a highly sophisticated malware that surfaced in the threat landscape in 2017. 

This malicious software is renowned for its anti-analysis techniques, which make it challenging for security analysts to dissect and understand its workings fully. 

Moreover, MyloBot can function as a downloader, enabling it to download and execute additional malware or malicious tools on the compromised system.

One of the most alarming features of MyloBot is its capability to download and execute any form of payload once it successfully infects a host system. As a result, it is possible for an attacker to download any type of malware at any time.

MyloBot was detected engaging in a financially-motivated campaign last year, where it sent extortion emails to unsuspecting recipients using hacked endpoints. 

In these emails, the malware threatened to release sensitive or potentially embarrassing information to the public if a ransom of over $2,700 in Bitcoin was not paid.

In order to unpack and initiate the bot malware, MyloBot implements a complex multi-stage process in which it uses a variety of methods.

While it remains inactive for two weeks before establishing communication with the command-and-control server (C2), a tactic used to evade detection.

MyloBot botnet creates a connection to a pre-programmed command-and-control (C2) domain that is integrated into the malware and it’s the foremost objective of MyloBot.

Once connected, the botnet lies dormant until it receives further instructions from the C2 server. MyloBot is responsible for transforming the infected computer into a proxy whenever it receives an instruction from the C2.

Once a system is infected with the MyloBot malware, it can function as a powerful tool for the cybercriminals behind the botnet. The compromised machine can handle multiple connections and serve as a relay point for traffic that is transmitted through the C2 server.

As the malware evolves over time, newer versions of it utilize a downloader that establishes communication with a C2 server. Upon receiving an encrypted message from the server, the downloader decrypts it and recovers a link to obtain the MyloBot payload.

To obtain an encrypted message containing a link to download the MyloBot malware payload, the recent versions of MyloBot utilize a downloader that communicates with a C2 server. 

This multi-step process is designed to evade detection and ensure that the botnet can propagate effectively across multiple systems.

Evolution

There are not many changes that have taken place over the years regarding the MyloBot. While MyloBot has undergone various iterations, one notable change has been the number of command-and-control (C2) domains hardcoded in the malware binary. 

Initially, the number of C2 domains was approximately 1000, but since the beginning of 2022, it has decreased to only three:-

  • fywkuzp[.]ru:7432
  • dealpatu[.]ru:8737
  • rooftop7[.]ru:8848

This change could indicate a shift in the botnet’s strategy or a response to efforts to disrupt its activities. It seems that the website bhproxies[.]com is pretty explicit when it comes to what it offers.

This service offers Backconnect residential proxies, and Backconnect offers a wide range of IP addresses from all over the globe.

Their service includes the ability to provide clients with customized packages, with an IP address range of up to 150,000 unique addresses, if they wish.

MyloBot’s potential involvement in a larger operation has been suggested by findings that indicate a connection between the botnet’s C2 infrastructure and the domain clients.bhproxies[.]com. The association was discovered through a reverse DNS lookup of one of the IP addresses linked to MyloBot.

Network Security Checklist – Download Free E-Book

Website

Latest articles

Hackers Claiming Access to Qatar National Bank Database

A group of hackers has claimed to have accessed the database of Qatar National...

Cloud-Based Malware Attack Abusing Google Drive & Dropbox

A phishing email with a malicious zip attachment initiates the attack. The zip contains...

OmniVision Technologies Cyber Attack, Hackers Stolen Personal Data in Ransomware Attack

OmniVision Technologies, Inc. (OVT) recently disclosed a significant security breach that compromised its clients'...

Critical Flaw In Confluence Server Let Attackers Execute Arbitrary Code

The widely used team workspace corporate wiki Confluence has been discovered to have a...

Threat Actors Leverage Bitbucket Artifacts to Breach AWS Accounts

In a recent investigation into Amazon Web Services (AWS) security breaches, Mandiant uncovered a...

Hackers Breached Western Sydney University Microsoft 365 & Sharepoint Environments

Western Sydney University has informed approximately 7,500 individuals today of an unauthorized access incident...

Memcyco Report Reveals Only 6% Of Brands Can Protect Their Customers From Digital Impersonation Fraud

Memcyco Inc., provider of digital trust technology designed to protect companies and their customers...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles