‘Mylobot’ botnet now downloading second-stage malware meant to siphon data

A global botnet set up to spread malware is disseminating a second-stage exploit used to siphon data, according to a report from CenturyLink Threat Research Labs.

CenturyLink first encountered the Mylobot botnet by looking at IPs that were interacting with its network. In the research, CenturyLink observed DNS searches emerging from a distinct group of IPs. Researchers determined that the DNS lookups for domains were likely generated by an algorithm.

The domains found in the isolated IPs were made up of seven randomly-chosen letters followed by the identifiers .ru, .net and .com. The report stated that the Mylobot malware typically generates 60,372 DNS queries that stem from 1,404 domains and 43 subdomains.

Researchers found that Mylobot has the ability to appear inactive for 14 days before attempting to contact its command-and-control network, according to CenturyLink’s report.

Since June, Mylobot has been observed downloading Khalesi, malware used to siphon data, as a second-stage attack for the infected host. Khalesi malware is one of the top downloaded malware families in 2018, according to a Kaspersky Lab report.

“What makes Mylobot so dangerous is its ability to download and execute any other type of payload the attacker wants, and we now have evidence one of those payloads is Khalesi,” head of CenturyLink’s Threat Research Labs Mike Benjamin said in a press release.

CenturyLink has blocked the Mylobot infrastructure on its own network to protect their customers and alleviate potential risk, while also notifying providers of infected devices to help mitigate infections.