A sophisticated botnet called MyloBot has compromised thousands of systems, mostly in India, the US, Indonesia and Iran.
That's according to new findings from BitSight, which say there are now more than 50,000 unique infected systems per day, down from a high of 250,000 unique hosts in 2020.
Additionally, analysis of MyloBot's infrastructure uncovered connections to a residential proxy service called BHPrxies, suggesting the latter was using infected machines.
MyloBot emerged on the threat scene in 2017, and in 2018 Deep Instinct first documented its anti-analysis techniques and its functionality as a downloader.
Lumen's Black Lotus Labs said in November 2018 that Mylobot's danger lies in its ability to download and execute any type of payload after infecting a host. That means it can download any other type of malware the attacker wants at any time.
Last year, the malware was observed sending ransom emails from hacked endpoints as part of a financially motivated campaign seeking more than $2,700 in Bitcoin.
MyloBot is known to employ a multi-stage sequence to unpack and launch bot malware. Notably, it also sits idle for 14 days before attempting to contact a command and control (C2) server to evade detection.
The main function of the botnet is to establish connections with hard-coded C2 domains embedded in the malware and wait for further instructions.
When Mylobot receives instructions from the C2, it turns the infected computer into what BitSight calls a proxy. Infected machines will be able to handle many connections and relay traffic sent through the command and control server.
Subsequent iterations of the malware leveraged a downloader, which in turn contacted the C2 server, which responded with an encrypted message containing a link to retrieve the MyloBot payload.
Evidence that MyloBot may be part of something larger stems from a reverse DNS lookup of one of the IP addresses associated with the botnet's C2 infrastructure, revealing a connection to a domain named clients.bhproxies[.]com.
The Boston-based cybersecurity firm said it began sinkholeing MyloBot in November 2018, and that it has continued to see the botnet evolve over time.