Mylobot is a botnet that targets and takes control of devices running Microsoft Windows.
Mylobot employs a variety of other techniques to evade detection or analysis. When it infects a new host, Mylobot waits for two weeks before contacting Command and Control (C2) servers. It terminates Windows Defender and Windows Update, while attempting to delete other malware which has previously been installed. It can also execute files directly from memory, without them being written to storage media.
It also shuts down and deletes any EXE file running from %APPDATA% folder. That action can cause a loss of data. The main function of the botnet is to take complete control of the user’s computer and damage to the computer depends on the payload the attackers decide to distribute.
Mylobot gives the threat actors full control over infected hosts, and allows them to install additional malware. The C2 servers have been previously linked to the Locky ransomware.After examining the C&C server in use, it turns out that it has been used by other malware campaigns, all of which emanate from the Dark Web – so the threat actors behind Mylobot are likely involved in a range of activities. With the C&C having been active for two and a half years, it indicates those behind Mylobot have been active for some time, and they use tactics which suggest a well-resourced operation.
The IP’s of the C&C server was first spotted in November 2015 and is linked to Locky, DorkBot and Redyms/Ramdo.
According to details on Cyware the domains in use may no longer be active
When it comes to resources ,we see that the botnet is trying to connect to 1404 different domains (in the time of writing this research, only one was alive). This is an indication for big resources in order to register all those domains