According to new findings from cybersecurity firm BitSight, a sophisticated botnet called MyloBot has compromised thousands of systems globally. Most of the infected systems are located in India, the United States, Indonesia, and Iran. BitSight reports that they are currently seeing over 50,000 unique infected systems every day, a decrease from a high of 250,000 unique hosts in 2020.
MyloBot first emerged on the threat landscape in 2017 and was first documented by Deep Instinct in 2018. It is known for its anti-analysis techniques and its ability to function as a downloader. What makes MyloBot particularly dangerous is its ability to download and execute any type of payload after infecting a host. This means that at any time, it could download any other type of malware that the attacker desires.
The primary function of the botnet is to establish a connection to a hard-coded command-and-control (C2) domain embedded within the malware and await further instructions. When MyloBot receives an instruction from the C2, it transforms the infected computer into a proxy, allowing the infected machine to handle many connections and relay traffic sent through the C2 server.
MyloBot is also known to employ a multi-stage sequence to unpack and launch the bot malware. It also sits idle for 14 days before attempting to contact the C2 server to sidestep detection.
Last year, MyloBot was observed sending extortion emails from hacked endpoints as part of a financially motivated campaign seeking over $2,700 in Bitcoin. Subsequent iterations of the malware have leveraged a downloader that contacts a C2 server, which response with an encrypted message containing a link to retrieve the MyloBot payload.
Furthermore, an analysis of MyloBot's infrastructure has found connections to a residential proxy service called BHProxies, indicating that the compromised machines are being used by the latter. The evidence that MyloBot could be part of something bigger stems from a reverse DNS lookup of one of the IP addresses associated with the botnet's C2 infrastructure revealing ties to a domain named "clients.bhproxies[.]com."
Boston-based cybersecurity company, Lumen's Black Lotus Labs, said it began sinkholing MyloBot in November 2018 and that it continues to see the botnet evolve. MyloBot serves as a reminder of the danger posed by sophisticated botnets and the need for robust cybersecurity measures to protect against them.
Thank you for reading our blog today. We hope you found the information helpful and informative. If you enjoyed this blog, follow us on Twitter, Instagram, Linkedin, GitHub, Website, and Youtube for more exciting content and updates. If you have any questions or comments, please feel free to reach out to us. We would love to hear from you. Don't forget to share this with your friends and family who may also find this information useful. Thank you for your support and stay tuned for more!