BitSight recently detected MyloBot, an advanced botnet that has successfully infiltrated numerous computer systems, primarily situated in four countries:-Â
- India
- The United States
- Indonesia
- Iran
The botnet has targeted and compromised thousands of systems, demonstrating its ability to operate on a massive scale across a wide geographical range.
According to BitSight report, there has been a significant decline in the number of unique infected systems per day, which has dropped to just over 50,000. This figure represents a noteworthy reduction from the peak observed in 2020 when the number of unique hosts infected by malware reached a high of 250,000.
An in-depth investigation into MyloBot’s infrastructure has uncovered ties to BHProxies, a residential proxy service.
This discovery suggests that the botnet is exploiting the compromised computer systems for BHProxies’ purposes, potentially utilizing their computing power to carry out illicit activities.
Technical Analysis
First identified by Deep Instinct in 2018, MyloBot is a highly sophisticated malware that surfaced in the threat landscape in 2017.
This malicious software is renowned for its anti-analysis techniques, which make it challenging for security analysts to dissect and understand its workings fully.
Moreover, MyloBot can function as a downloader, enabling it to download and execute additional malware or malicious tools on the compromised system.
One of the most alarming features of MyloBot is its capability to download and execute any form of payload once it successfully infects a host system. As a result, it is possible for an attacker to download any type of malware at any time.
MyloBot was detected engaging in a financially-motivated campaign last year, where it sent extortion emails to unsuspecting recipients using hacked endpoints.
In these emails, the malware threatened to release sensitive or potentially embarrassing information to the public if a ransom of over $2,700 in Bitcoin was not paid.
In order to unpack and initiate the bot malware, MyloBot implements a complex multi-stage process in which it uses a variety of methods.
While it remains inactive for two weeks before establishing communication with the command-and-control server (C2), a tactic used to evade detection.
MyloBot botnet creates a connection to a pre-programmed command-and-control (C2) domain that is integrated into the malware and it’s the foremost objective of MyloBot.
Once connected, the botnet lies dormant until it receives further instructions from the C2 server. MyloBot is responsible for transforming the infected computer into a proxy whenever it receives an instruction from the C2.
Once a system is infected with the MyloBot malware, it can function as a powerful tool for the cybercriminals behind the botnet. The compromised machine can handle multiple connections and serve as a relay point for traffic that is transmitted through the C2 server.
As the malware evolves over time, newer versions of it utilize a downloader that establishes communication with a C2 server. Upon receiving an encrypted message from the server, the downloader decrypts it and recovers a link to obtain the MyloBot payload.
To obtain an encrypted message containing a link to download the MyloBot malware payload, the recent versions of MyloBot utilize a downloader that communicates with a C2 server.
This multi-step process is designed to evade detection and ensure that the botnet can propagate effectively across multiple systems.
Evolution
There are not many changes that have taken place over the years regarding the MyloBot. While MyloBot has undergone various iterations, one notable change has been the number of command-and-control (C2) domains hardcoded in the malware binary.
Initially, the number of C2 domains was approximately 1000, but since the beginning of 2022, it has decreased to only three:-
- fywkuzp[.]ru:7432
- dealpatu[.]ru:8737
- rooftop7[.]ru:8848
This change could indicate a shift in the botnet’s strategy or a response to efforts to disrupt its activities. It seems that the website bhproxies[.]com is pretty explicit when it comes to what it offers.
This service offers Backconnect residential proxies, and Backconnect offers a wide range of IP addresses from all over the globe.
Their service includes the ability to provide clients with customized packages, with an IP address range of up to 150,000 unique addresses, if they wish.
MyloBot’s potential involvement in a larger operation has been suggested by findings that indicate a connection between the botnet’s C2 infrastructure and the domain clients.bhproxies[.]com. The association was discovered through a reverse DNS lookup of one of the IP addresses linked to MyloBot.
Network Security Checklist – Download Free E-Book