Tuesday, November 12, 2024
HomeBotnetMyloBot Botnet Attacks Thousands of Windows Systems and Turns Them as Proxy

MyloBot Botnet Attacks Thousands of Windows Systems and Turns Them as Proxy

Published on

Malware protection

BitSight recently detected MyloBot, an advanced botnet that has successfully infiltrated numerous computer systems, primarily situated in four countries:- 

  • India
  • The United States
  • Indonesia
  • Iran

The botnet has targeted and compromised thousands of systems, demonstrating its ability to operate on a massive scale across a wide geographical range.

According to BitSight report, there has been a significant decline in the number of unique infected systems per day, which has dropped to just over 50,000. This figure represents a noteworthy reduction from the peak observed in 2020 when the number of unique hosts infected by malware reached a high of 250,000.

- Advertisement - SIEM as a Service

An in-depth investigation into MyloBot’s infrastructure has uncovered ties to BHProxies, a residential proxy service. 

This discovery suggests that the botnet is exploiting the compromised computer systems for BHProxies’ purposes, potentially utilizing their computing power to carry out illicit activities.

Technical Analysis

First identified by Deep Instinct in 2018, MyloBot is a highly sophisticated malware that surfaced in the threat landscape in 2017. 

This malicious software is renowned for its anti-analysis techniques, which make it challenging for security analysts to dissect and understand its workings fully. 

Moreover, MyloBot can function as a downloader, enabling it to download and execute additional malware or malicious tools on the compromised system.

One of the most alarming features of MyloBot is its capability to download and execute any form of payload once it successfully infects a host system. As a result, it is possible for an attacker to download any type of malware at any time.

MyloBot was detected engaging in a financially-motivated campaign last year, where it sent extortion emails to unsuspecting recipients using hacked endpoints. 

In these emails, the malware threatened to release sensitive or potentially embarrassing information to the public if a ransom of over $2,700 in Bitcoin was not paid.

In order to unpack and initiate the bot malware, MyloBot implements a complex multi-stage process in which it uses a variety of methods.

While it remains inactive for two weeks before establishing communication with the command-and-control server (C2), a tactic used to evade detection.

MyloBot botnet creates a connection to a pre-programmed command-and-control (C2) domain that is integrated into the malware and it’s the foremost objective of MyloBot.

Once connected, the botnet lies dormant until it receives further instructions from the C2 server. MyloBot is responsible for transforming the infected computer into a proxy whenever it receives an instruction from the C2.

Once a system is infected with the MyloBot malware, it can function as a powerful tool for the cybercriminals behind the botnet. The compromised machine can handle multiple connections and serve as a relay point for traffic that is transmitted through the C2 server.

As the malware evolves over time, newer versions of it utilize a downloader that establishes communication with a C2 server. Upon receiving an encrypted message from the server, the downloader decrypts it and recovers a link to obtain the MyloBot payload.

To obtain an encrypted message containing a link to download the MyloBot malware payload, the recent versions of MyloBot utilize a downloader that communicates with a C2 server. 

This multi-step process is designed to evade detection and ensure that the botnet can propagate effectively across multiple systems.

Evolution

There are not many changes that have taken place over the years regarding the MyloBot. While MyloBot has undergone various iterations, one notable change has been the number of command-and-control (C2) domains hardcoded in the malware binary. 

Initially, the number of C2 domains was approximately 1000, but since the beginning of 2022, it has decreased to only three:-

  • fywkuzp[.]ru:7432
  • dealpatu[.]ru:8737
  • rooftop7[.]ru:8848

This change could indicate a shift in the botnet’s strategy or a response to efforts to disrupt its activities. It seems that the website bhproxies[.]com is pretty explicit when it comes to what it offers.

This service offers Backconnect residential proxies, and Backconnect offers a wide range of IP addresses from all over the globe.

Their service includes the ability to provide clients with customized packages, with an IP address range of up to 150,000 unique addresses, if they wish.

MyloBot’s potential involvement in a larger operation has been suggested by findings that indicate a connection between the botnet’s C2 infrastructure and the domain clients.bhproxies[.]com. The association was discovered through a reverse DNS lookup of one of the IP addresses linked to MyloBot.

Network Security Checklist – Download Free E-Book

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Maximizing Agent Productivity And Security With Workforce Management Software In Contact Centers

In the bustling world of customer service, the stakes are perpetually high—every missed call...

CRON#TRAP Campaign Attacks Windows Machine With Weaponized Linux Virtual Machine

Weaponized Linux virtual machines are used for offensive cybersecurity purposes, such as "penetration testing"...