More than 50,000 computers are infected with malware every day.
A sophisticated botnet network known as MyloBot has compromised thousands of systems, most of which are located in India, the US, Indonesia and Iran. According to BitSight, there are currently more than 50,000 unique infected systems every day. When, for the whole of 2020, MyloBot hit only 250,000 hosts.
MyloBot was first discovered in 2017 and documented by Deep Instinct in mid-2018. In November of the same year, experts from Lumen Black Lotus Labs described the botnet as follows: “What makes MyloBot dangerous is its ability to download and execute any payload after infecting a host. This means that at any time it can download any other type of malware the attacker desires.”
Last year, malware was seen sending emails from jailbroken devices with malicious ransomware attachments.
MyloBot is known to use a multi-step sequence to unpack and launch a malicious bot. It is noteworthy that for two weeks after the launch, the malware does not take exactly any action. It contacts the C2 server only after this time has elapsed in order to bypass detection by antivirus systems.
The main function of the botnet is to establish a connection with the prescribed C2 server and wait for further instructions from it. “When Mylobot receives instructions from the C2 server, it turns the infected computer into a proxy. An infected machine can handle multiple connections and relay traffic,” BitSight said.
When analyzing the infrastructure of MyloBot, experts found connections to the BHProxies residential proxy service, which is used by the compromised machines.
Researchers from BitSight said that MyloBot, which has changed a lot since its inception, still has development potential. Over time, the botnet is likely to get even more features and various measures from detection, and will also grow the base of infected hosts even more rapidly. All this makes MyloBot one of the most dangerous botnets in the world.