MyloBot Botnet Spreading Rapidly Worldwide: Infecting Over 50,000 Devices Daily

Share:

A sophisticated botnet known as MyloBot has compromised thousands of systems, with most of them located in India, the U.S., Indonesia, and Iran.

That’s according to new findings from BitSight, which said it’s “currently seeing more than 50,000 unique infected systems every day,” down from a high of 250,000 unique hosts in 2020.

Furthermore, an analysis of MyloBot’s infrastructure has found connections to a residential proxy service called BHProxies, indicating that the compromised machines are being used by the latter.

MyloBot, which emerged on the threat landscape in 2017, was first documented by Deep Instinct in 2018, calling out its anti-analysis techniques and its ability to function as a downloader.

“What makes MyloBot dangerous is its ability to download and execute any type of payload after it infects a host,” Lumen’s Black Lotus Labs said in November 2018. “This means at any time it could download any other type of malware the attacker desires.”

Last year, the malware was observed sending extortion emails from hacked endpoints as part of a financially motivated campaign seeking over $2,700 in Bitcoin.

MyloBot is known to employ a multi-stage sequence to unpack and launch the bot malware. Notably, it also sits idle for 14 days before attempting to contact the command-and-control (C2) server to sidestep detection.

The primary function of the botnet is to establish a connection to a hard-coded C2 domain embedded within the malware and await further instructions.

“When Mylobot receives an instruction from the C2, it transforms the infected computer into a proxy,” BitSight said. “The infected machine will be able to handle many connections and relay traffic sent through the command-and-control server.”

Subsequent iterations of the malware have leveraged a downloader that, in turn, contacts a C2 server, which responds with an encrypted message containing a link to retrieve the MyloBot payload.

The evidence that MyloBot could be a part of something bigger stems from a reverse DNS lookup of one of the IP addresses associated with the botnet’s C2 infrastructure has revealed ties to a domain named “clients.bhproxies[.]com.”

The Boston-based cybersecurity company said it began sinkholing MyloBot in November 2018 and that it continues to see the botnet evolve over time.

 

(c) Ravie Lakshmanan

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
Austria, AT
7:07 pm, Dec 27, 2024
weather icon 2°C
L: 2° H: 2°
few clouds
Humidity 78 %
Pressure 1034 mb
Wind 7 mph SSE
Wind Gust Wind Gust: 5 mph
UV Index UV Index: 0
Precipitation Precipitation: 0 mm
Clouds Clouds: 14%
Rain Chance Rain Chance: 0%
Visibility Visibility: 10 km
Sunrise Sunrise: 7:53 am
Sunset Sunset: 4:22 pm
DailyHourly
Daily ForecastHourly Forecast
Scroll to Top