US-based Cyber Security company BitSight have recently released a report about a botnet which is increasing its capability by over 50,000 newly infected devices every day.
MyloBot has compromised thousands of systems, with most of them located in India, the U.S.A, Indonesia, and Iran.
MyloBot history
MyloBot was first discovered in the wild in 2017, and at the time it had three distinct stages of the infection.
Stage one is the WillExec dropper – this embeds an encrypted resource and performs some form of anti-debug checks using the Windows API CreateTimerQueueTimer and SetUnhandledExceptionFilter. This is to check if the infected machine is a “real” machine or a sandboxed device set up to catch malware.
Once the malware is happy to run, the encrypted resource is decrypted which reveals some shell-code that creates a new process on the victim machine by replacing an existing process – this activity is known as process hollowing and is intended to fool a victims machine into allowing the malicious process to run because it looks like a legitimate process.
The reason for the name “WillExec” is due to a API call which this stage runs multiple times – MessageBoxA(0xffffa481, "Will exec", 0, 0);
Stage two of the infection contains 2 resources:
- An encrypted resource
- A 4 bytes resource
The 4 byte resource is a key for a RC4 cipher which is used to decrypt the encrypted resource
Once decrypted, the program locates a function called _ep@4 and executes it. This function is used to locate the use of the Windows update service (wusaupdate) and disables it.
The function also disables the windows defender security suite (windefender), and adds a series of firewall rules to block all outgoing TCP connections to the following ports:
- 2900
- 1100
- 2200
- 3300
- 4400
- 5500
- 6600
- 7700
- 8800
- 9900
Stage three turns the infected device into a proxy for others to connect to and creates persistence by editing the registry key Software\\Microsoft\\Windows\\CurrentVersion\\Run with a value that points to the file stored on the machine during stage two.
Finally the binary will store an encoded FILETIME on the filesystem in %TEMP%\dd.te. The malware will then start communicating with the command and control server only if 12 days have passed since the date written down in this file.
Communications capability
The first version of MyloBot had a unique network fingerprint. It embeds more than 1000 hard-coded domains, mostly ending with .ru or .com. All domains look like they have been generated by a domain generation algorithm (DGA).
For each of these 1000 domains, the infected machine tries to connect to many subdomains, most beginning with letters x, w, or m, followed by a number.
An example of some such DNS requests would be:
- m1.fywkuzp[.]ru:7432
- m2.fywkuzp[.]ru:7432
- m3.fywkuzp[.]ru:7432
This ultimately means that MyloBot produces thousands of DNS requests, which makes it quite noisy.
If the malware successfully connects to one of those domains, it keeps the connection open and waits for an instruction from the command and control server (C2).
When MyloBot receives an instruction from the C2, it transforms the infected computer into a proxy. The infected machine will be able to handle many connections and relay traffic sent through the command and control server.
When the C2 server sends the infected bot an instruction, it will use a simple message ID – From samples observed, the below list details the instructions which can be given to a Mylobot machine:
| Message ID (msg_id) | Description |
| 1 | Connect to an IP:port |
| 2 | Close connection (specified by its ID (data[0:4]) |
| 3 | Send data to a connected IP/domain:port (specified by its ID (data[0:4]) |
| 4 | Restart the client networking stuff |
| 5 | End all active connections |
| 6 | Echo |
| 7 | Download a binary using HTTP |
| 8 | Download multiple binaries using HTTP + delay (8 hours) |
| 17 | Connect to an domain:port |
| 19 | Force re-read from socket (specified by its ID) |
2018 update
In 2018, myloBot received an update which alters the stages of the infection. Some of the changes are listed below:
- The 1000+ hard-coded domains are now encrypted
- The subdomains it tries to reach are now buy1, v1, up1
- The third stage now incorporates a downloader
The update to the third stage is the most dangerous part of the update because it now allows MyloBot the ability to download and execute any type of payload after it infects a host.
In 2022, MyloBot infected machines started to send extortion emails from victim machines to other internet users in a massive phishing campaign.
Recently researchers have seen an increase in MyloBot infections, indicating that it may have received another update which utilises a new way of infecting target machines.
Whilst 50,000 machines infected daily is a large amount by any standards, the number of infected machines is not yet at the peak of the MyloBot network as it stood in 2020, where over 250,000 machines were compromised. However a the rate it appears to be expanding, that figure may be surpassed soon.