Bitsight profiles Mylobot, a proxy botnet that turns infected hosts into proxies controlled by a C2, with a downloader that expands the network via WillExec and links to BHProxies. The operation features extensive hardcoded and encrypted domain lists, large DNS activity, and telemetry showing a sizeable global botnet, including India, the US, and other countries. #Mylobot #BHProxies #Khalesi #Zusy
Keypoints
- Mylobot infects machines and transforms them into proxies that relay traffic back to the C2.
- The malware generates thousands of DNS requests, creating a noisy infection signal.
- A command-and-control protocol uses messages with fields like conn_id and msg_id to issue instructions (e.g., connect, close, send data, download).
- In 2018, a new downloader (WillExec dropper) distributes Mylobot and performs anti-VM checks, then fetches the next stages.
- The downloader stores hardcoded encrypted domain names (AES-ECB) and likely uses a DGA to resolve C2 domains.
<liBHProxies appears linked to Mylobot, with numerous residential proxies and shared IPs suggesting intertwined operations.
<liTelemetry shows sinkholing since 2018 peaking at ~250k daily infections early 2020, with ~50k+ daily infections since 2022 and potentially over 150k total.
<liCountries most affected include India, followed by the US, Indonesia, and Iran, per infection heatmaps.
MITRE Techniques
- [T1071] Web Protocols – C2 communications over HTTP/S with commands and data exchange, e.g., “Download a binary using HTTP” and “Connect to an IP:port.”
- [T1105] Ingress Tool Transfer – Downloader retrieves next-stage payloads over HTTP, i.e., “Download a binary using HTTP.”
- [T1027] Obfuscated/Compressed Files and Information – Domains are AES-ECB encrypted with a specific key, and decrypted at runtime; “AES-ECB encrypted with the key GD!brWJJBeTgTGSgEFB/quRcfCkBHWgl.”
- [T1497] Virtualization/Sandbox Evasion – Uses anti virtual machine checks to deter analysis, described as “anti virtual machine checks.”
- [T1583] Acquire Infrastructure – Large set of hardcoded encrypted C2 domains (over 1000) likely tied to a DGA; “hardcoded encrypted command and control domains (more than 1000)” and reference to a DGA.
Indicators of Compromise
- [Domain] C2 domains – fywkuzp.ru:7432, v1.flkpuod.ru:5796, v1.iqaagar.ru:2919, v1.fchbwme.ru:7533, and other domains
- [IP Address] C2/Downloader traffic – 89.39.105.47, 89.38.96.140, and 18 more IPs (example shown)
- [Hash] Mylobot proxy – 84733af3b60b966042d5cd17e12fd8d90650e0731297d203bd913dc5c663b91c and 11fc02dd825c8e67d58cc40a47e3f4c572097bd58c6aae80591a5fb73b9167f2, and 6 more hashes
- [Hash] Mylobot downloader – cfde42903367d77ab7d5f7c2a8cfc1780872d6f1bfac42e9c2577dfd4b6cdeb2, fcdb7247aa6e41ff23dc1747517a3682e5a89b41bfd0f37666d496a1d3faa4ba, ad53ad1d3e4ac4cc762f596af8855fd368331d9da78f35d738ae026dd778eb9f
Read more: https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet