Mylobot is the name of a very active botnet since it infects more than 50,000 devices a day. Even if it is not very present in France, it is an active threat on a global scale.
Active since 2017, the Mylobot botnet is said to be in top form according to a report posted by BitSight : ” We are currently seeing over 50,000 unique infected systems every day “. However, this could only be part of a much larger botnet associated with the bhproxies[.]com website service . At this rate, the number of infected hosts will become very significant… Knowing that in 2020, he had infected 250,000 unique hosts.
This botnet targets Windows machines and when a machine is infected, the malware does not go directly into action. Indeed, it remains inactive for 14 days in order to avoid detection, and after that, it contacts the cybercriminals’ C2 server. For these connections, Mylobot relies on more than 1,000 hardcoded “.ru” and “.com” domains and for each domain, the botnet is able to establish connections to different subdomains.
The infected machine acts as a proxy for the attackers : ” When Mylobot receives an instruction from [server] C2, it turns the infected computer into a proxy. The infected machine will be able to handle many connections and relay the traffic sent by the command and control server” .
That’s not all since Mylobot is able to download and execute payloads on the infected machine. For example, last year Mylobot was used to send emails from infected machines , as part of a phishing campaign.
If we look at the map below, we see that Mylobot is particularly present in the United States, Iran and Indonesia. France is also impacted, to a lesser extent.
In the BitSight report, you can find a list of malicious IP addresses used by hackers.
