According to BitSight, a cybersecurity company based out of Boston, a sophisticated botnet known as MyloBot is currently jeopardizing more than 50,000 unique systems every day, the majority of which are located in India, the U.S, Indonesia, and Iran.

MyloBot surfaced on the threat landscape back in 2017 and was first documented by Deep Instinct in 2018, who revealed its ability to operate as a downloader with anti-analysis capabilities.

MyloBot can download and implement any type of payload or malware desired by the attacker at any time after the initial infection.  It utilizes a multi-stage sequence to unpack and launch the bot malware, and sits idle for 14 days before attempting to contact the command-and-control (C2) server in order to avoid detection.

The main function of MyloBot is to secure a connection to a hard-coded C2 domain embedded in the malware and await further instructions.  Then, once instructions are received from the C2, the infected computer converts into a proxy able to handle many connections and relay traffic sent through the C2.

Later versions of the malware have used a downloader that contacts a C2 server that answers with an encrypted message containing a link for retrieving the MyloBot payload.

A reverse DNS (Domain Name Server) lookup of one of the IP addresses associated with MyloBot’s command-and-control infrastructure has revealed ties to a domain named, “clients.bhproxies[.]com.”  This is evidence that MyloBot could be a part of something bigger.

BitSight said it began sinkholing the botnet in November 2018 and continues to see it evolve over time.

From The Hacker News