A sophisticated botnet known as MyloBot has compromised thousands of systems, mostly in India, the United States, Indonesia, and Iran.
That’s from a high of 250,000 unique hosts in 2020, according to new BitSight findings, which says, “We’re now seeing over 50,000 unique infected systems every day.”
Additionally, after analyzing MyloBot’s infrastructure, we discovered connections to a residential proxy service called BHProxies. This indicates that the compromised machine is being used by his BHProxies.
Entering the threat world in 2017, MyloBot was first documented in 2018 by Deep Instinct, noting its anti-analysis techniques and ability to act as a downloader.
In November 2018, Lumen’s Black Lotus Labs said: “
Last year, the malware was observed sending extortion emails from hacked endpoints as part of a monetary campaign seeking over $2,700 in Bitcoin.
MyloBot is known to use a multi-step sequence to unzip and launch bot malware. Specifically, it sits idle for 14 days before attempting to contact a command and control (C2) server to evade detection.
The botnet’s main function is to establish a connection to a hardcoded C2 domain embedded in the malware and wait for further instructions.
“When Mylobot receives instructions from the C2, it converts the infected computer into a proxy,” BitSight said. “Infected machines will be able to handle large numbers of connections and relay traffic sent through the command and control server.”
Subsequent iterations of the malware utilize the downloader and connect to the C2 server. The C2 server responds with an encrypted message containing a link to retrieve the MyloBot payload.
Evidence that MyloBot may be part of something larger comes from a reverse DNS lookup of one of the IP addresses associated with the botnet’s C2 infrastructure, named “clients.bhproxyes”. The relationship of the name to the domain has been clarified.[.]Com”
The Boston-based cybersecurity firm began sinkholing MyloBot in November 2018, saying the botnet continues to evolve over time.
