The Mylobot botnet is a family of zombies that target Windows operating systems. It has employed a significant number of Fake-DGA domains to counter traditional blacklisting detection techniques. In 2020, we published an article titled "Mylobot Botnet Still Active: Revealing the C2 Decryption Process," discussing the decryption method for embedded domains and providing insights into batch decryption. Despite our efforts, the group remains active, and we have conducted further analysis on their malicious software operations.
The Mylobot botnet was discovered and named by Deepinstinct in 2018. The main focus of their report was on the mylobot-proxy malware, primarily designed for network proxy functionality. Our decryption analysis in 2020 was also centered around the mylobot-proxy sample. However, it's worth noting that mylobot-proxy is just one of the malicious software operated by the Mylobot group. Other significant malicious software they run includes mylobot-core and others.
Packer-Shellcode
All the malicious software used by Mylobot is packed and loaded by Packer-Shellcode. This packing includes built-in WindowsAPI name hash values required for loading the Shellcode, which then retrieves the corresponding API addresses using these hash values.
RC4 decryption of all-zero data results in a sequence of byte lists, with these byte lists used as the key to perform logical operations with the ciphertext in the resources. This process leads to the creation of Shellcode and PE files. The Shellcode creates a new process as the host process, hollows it, and maps the decrypted PE file into this process. The decrypted PE file is the next stage of malicious software of the Packer-Shellcode.
The purpose of packing the malicious software is to evade direct detection. However, the Mylobot group has not updated the Packer they use. The latest Packer-Shellcode we have captured shows no significant differences from the 2017 version and has a relatively high detection rate on VT (VirusTotal).
mylobot-proxy
Mylobot-proxy transforms compromised machines into network proxy nodes, forwarding traffic through C2 (Command and Control) issued proxy tasks. This malicious software serves as the primary profit generator for the Mylobot group. Like other components, it is also loaded using the Packer-Shellcode tool but is controlled by a controller Loader. The loading process can be summarized in the following nested form:
Early versions of the QiAnXin Mylobot-proxy embedded a large number of Fake-DGA domains, and attackers only registered some of these domains as actual C2 (Command and Control) servers. While this approach could prevent the domains from being blacklisted to some extent, it also created another drawback. Other analysts could choose to register some of these domains and assess the scale of the botnet or even take control of it. In our observation, the updated version of Mylobot-proxy in 2022 no longer uses the Fake-DGA technique.
The actual domain format that mylobot-proxy connects to is m<0-42>.<C2-domain>, and the m0 subdomain is particularly significant. In the instruction processing part of mylobot-proxy, there are two privileged instructions, namely the 7th and 8th instructions, which indicate downloading and executing new malicious software from subsequent payloads and specified URLs. These two instructions are primarily used to update the mylobot-proxy software. As of March 2023, we have captured a version of mylobot-proxy that employs a unique software update mechanism. During our analysis of the three domains with m0 subdomains, we have not found any IP bindings associated with these domains, indicating that the latest version of mylobot-proxy is updated as of March 2023.
Mylobot-proxy is primarily used to provide proxy functionality. When the botnet reaches a sufficient scale, attackers can turn these resources into proxy service providers. Earlier this year, BitSight pointed out the connection between Mylobot and the bhproxies proxy service. Through relevant analysis, we have come to the same conclusion as BitSight, and the associations are as follows.
The domain client.bhproxies.com is one of the domains through which bhproxies provides services, and its two resolved IPs point to numerous assets belonging to the Mylobot group. Additionally, the IP 89.39.107.82 serves as one of the proxy service provider nodes for bhproxies and is consistent with the resolution of the newest C2 domain, m20.onthestage[.]ru, used by the Mylobot group.
In late February 2023, the Mylobot group updated the C2 of mylobot-proxy. When tracking the connection status to the latest C2 domains, each unique IP represents a compromised machine. We observed that the botnet scale is showing an expanding trend, as shown in the following data:
mylobot-core
Core is loaded by the Packer-Shellcode module and primarily serves as a downloader in the Mylobot group's attack chain, with mylobot-proxy being the main distributed malicious software. Core also utilizes fake-dga domains, and the latest version has not removed this feature. The embedded domains are encrypted using AES, and the Key used for encryption has appeared in mylobot-proxy as well. It decrypts a significant number of domain-port pairs, which exhibit high similarities with the early mylobot-proxy domains. It then selects these domains' buy1, v1, up1 subdomains for connection.
Once successfully connected to the C2 domain, Core initially sends the machine's basic information for the bot's online status. One of the fields is called "name_id," which is a hardcoded string in the sample. It was named mylobot-core because the group had set this field to "core" in the past. In the samples we captured in July 2023, its id was set to "feb23," which corresponds to February 23, aligning with the sample's compilation time and being relatively close to mylobot-proxy's update time. The structure of its online information is as follows:
After sending the online information, the server needs to reply with the online identifier "\x45\x36\x27\x18" and also send the download information for the next stage of malicious software. The download information is also encrypted using AES, with the domain encryption utilizing the same Key. The subsequent malicious software primarily includes mylobot-proxy, and below is the payload information we received for the next stage:
mylobot-core mainly serves as a downloader for other malicious software. Besides mylobot-proxy, the group has distributed other malicious software. Minerva Labs once detected that the Mylobot group issued a ransomware email sender in core's instructions. The ransom letter described that the attacking group planted a Trojan on an adult website, which recorded compromised users' webcam and email address information. If the victims refused to pay, the attacker would send the webcam recordings to the victims' contacts, causing social humiliation.
However, we have not yet detected any other malicious software being distributed through mylobot-core, except for mylobot-proxy. From this, we can infer that mylobot-proxy remains the main focus of the group's operations.
Summary
Despite being exposed for five years, the Mylobot group is still relatively active. However, based on their main products, mylobot-proxy and mylobot-core, there haven't been significant changes in the functionality of the malicious software code. This has resulted in a high detection rate, making it easier to be caught by security measures. We speculate that this might be because the operational center of the Mylobot group focuses on selling and operating proxy services, which is supported by the frequent instructions received by mylobot-proxy. The ransomware email sender received through mylobot-core also indicates the group's involvement in other black market activities. However, we have not yet discovered any other related incidents, and we will continue to monitor the Mylobot group's future activities.
IOC
Download Server
wipmania[.]net
wipmsc[.]ru
stcus[.]ru
162.244.80.231:80
212.8.242.104:80
51.15.12.156:80
mylobot-core(partial code)
bcbxfme[.]ru
bmazlky[.]ru
bthmzsp[.]ru
byosnwr[.]ru
cxxhtmb[.]ru
dkqhmbi[.]ru
dldzeoo[.]ru
dlihgic[.]ru
dnfojik[.]ru
mylobot-proxy(from March 2023 to the present)
onthestage[.]ru
krebson[.]ru
stanislasarnoud[.]ru
Reference links
[1].https://mp.weixin.qq.com/s/5YBvsb_pZGq_vxDlTNatEA
[2].https://minerva-labs.com/blog/mylobot-2022-so-many-evasive-techniques-just-to-send-extortion-emails/
[3].https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet