A sophisticated botnet known as MyloBot, which emerged in 2017, has been infecting more than 50,000 unique systems every day, revealed security experts. The most infected computers are located in India, the U.S., Indonesia, and Iran. 

Moreover, researchers have discovered some connections between MyloBot and the proxy service BHProxies.

MyloBot with multi-stage sequence

BitSight researchers have found that threat actors are using a new malware variant with downloader capabilities to distribute Mylobot's proxy bot.
  • The first stage dropper is WillExec that was used by earlier variants as well. It drops a PE file that performs anti-virtual machine checks and tries to remove other malware running on the system.
  • In the second stage, the file connects to its C2 server and downloads the next stages. A major change in the recent variant is that the number of hard-coded encrypted C2 domains, which has been reduced from more than 1000 (before 2022) to just three.
  • In the third stage, the downloader decrypts the domains at runtime and tries to connect to the associated subdomains. The C2 server responds with an encrypted message that contains a link to retrieve the MyloBot payload responsible for performing network communications.

Attackers can use MyloBot to download and execute any type of malware of their choice on the infected systems. The latest proxy bot variant was distributing different payloads than the earlier variants.

(Ab)use of BHProxies

  • The botnet’s main function is to establish a connection to a hard-coded C2 domain embedded within the malware and wait for further instructions.
  • When it receives an instruction from the C2, it transforms the infected computer into a proxy using BHProxies.
  • It enables the attackers to use the infected machine to handle many connections and relay traffic sent through the C2 server.

Is BHProxies malicious?

Through several experiments, researchers were able to confirm that the computers infected by Mylobot are used by the BHProxies service. However, they were not able to confirm whether BHProxies is a malicious service operated by some adversaries, or it is a genuine service being abused by Mylobot.

Conclusion

The gradual evolution of MyloBot is an indication that its operators are planning to escalate their attacks. Moreover, it is trying to expand its scope across new geographical areas across North America and East and Southeast Asia. Thus it is important for organizations to stay alert and continuously assess and audit their security shields.
Cyware Publisher

Publisher

Cyware