CenturyLink Threat Research Labs has been tracking the Mylobot botnet, a sophisticated malware family that is categorized as a downloader. What makes Mylobot dangerous is its ability to download and execute any type of payload after it infects a host. This means at any time it could download any other type of malware the attacker desires. A detailed walkthrough and reverse engineering analysis of Mylobot was first reported in June by Deep Instinct. During the time we have been monitoring Mylobot we have observed it downloading the Khalesi malware as a second stage to infected hosts. Kaspersky Lab reports that the information stealing Khalesi malware is one of the top downloaded malware families in 2018.
We were first alerted to the botnet’s behavior by IPs interacting with our honeypot network. Our team is constantly monitoring attack patterns and looking for common behaviors in these attacks. In this case, we observed a common behavior to DNS lookups coming from a distinct group of these IPs. Each of the hosts performed DNS lookups for domains that we had flagged as likely to be algorithmically generated.
The common behavior was detected by combining the IPs extracted from our honeypot logs with DNS resolution data, and applying unsupervised clustering techniques to isolate large clusters of similarly-behaving devices. The resulting behavior appeared to be callbacks to Domain Generation Algorithm (DGA) generated domains. Our DGA domains list is generated by monitoring lookups to estimate the probability that a domain was generated using a variety of techniques. These techniques could include randomly choosing letters or numbers, or randomly choosing words from a dictionary to make up a domain. The domains being queried by this particular cluster of IPs appeared to be seven randomly-chosen letters with the TLDs .ru, .net and .com. The subdomains ranged from m0 to m42.
Our investigation in to these domains found that they are hardcoded into samples of the Mylobot malware. Mylobot contains sophisticated anti-VM and anti-sandboxing techniques. For example, it sits idle for 14 days before attempting to contact the C2.1 This delaying technique is used to wait out the sandbox environment to avoid detection. When it attempts to contact the C2, the malware uses a set of 1,404 hard-coded domain name and port pairs.
For each domain-port pair, the malware first attempts to resolve 43 subdomains, which are the same as those we saw in passive DNS (m0 through m42). If one of the FQDNs resolves to an IP, the malware tries to connect to the IP on the port that was hard-coded with that domain. With 1,404 domains and 43 subdomains, this results in 60,372 DNS queries from each bot.
The large volume of queries from an individual host can be used as an indication of an infection by this malware. The internet-wide impact of this behavior can be seen when looking at a two-week period. As each region of infected hosts is powered on to begin the day, a large volume of queries occurs, slowly dropping off as each host finds the C2. Below is a graph showing the total number of queries to these domains we see in our DNS traffic over this period.
Through our analysis it was important to understand if the botnet had shown any noticeable variation in size. We found, that while day-to-day sizes may vary due to normal botnet maintenance and data sampling, the botnet’s total size has remained relatively consistent throughout the year. The below graph displays the number of IPs we see in passive DNS traffic querying the domains in question for the current year.
At CenturyLink Threat Research Labs, we leverage our global visibility to identify botnet infrastructure. Analyzing DNS response data allowed us to generate a list of potential C2s from the FQDNs that resolved to IP addresses. Searching our sampled Netflow for traffic from these IPs, we can identify the active C2s and their ports. Below are the active C2s from November and the number of IPs the C2 sent responses to on the C2 port.
| C2 IP | Port | FQDN | Number of IPs |
| 74.222.19.103 | 7432 | m20.fywkuzp.ru | 2,675 |
| 74.222.19.63 | 7432 | m19.fywkuzp.ru | 2,511 |
| 217.23.13.62 | 7432 | m7.fywkuzp.ru | 2,420 |
| 89.39.107.19 | 7432 | m12.fywkuzp.ru | 2,289 |
| 70.36.107.38 | 7432 | m21.fywkuzp.ru | 2,259 |
| 89.39.105.82 | 7432 | m8.fywkuzp.ru | 2,133 |
| 89.38.98.48 | 7432 | m10.fywkuzp.ru | 2,128 |
| 109.236.85.147 | 7432 | m25.fywkuzp.ru | 2,108 |
| 217.23.6.62 | 7432 | m11.fywkuzp.ru | 2,082 |
| 89.38.98.165 | 7432 | m6.fywkuzp.ru | 1,632 |
| 109.236.85.21 | 7432 | m4.fywkuzp.ru | 1,532 |
| 217.23.3.15 | 7432 | m13.fywkuzp.ru | 1,119 |
| 109.236.85.150 | 7432 | m1.fywkuzp.ru | 986 |
| 109.236.85.154 | 7432 | m5.fywkuzp.ru | 971 |
| 46.166.173.180 | 7432 | m24.fywkuzp.ru | 943 |
| 109.236.85.153 | 7432 | m3.fywkuzp.ru | 917 |
| 109.236.85.135 | 7432 | m2.fywkuzp.ru | 840 |
| 109.236.87.49 | 7432 | m9.fywkuzp.ru | 683 |
| 70.36.107.39 | 7432 | m22.fywkuzp.ru | 666 |
| 75.126.102.251 | 9529 | m9.qjwhpfe.net | 344 |
| 109.236.85.93 | 7432 | m26.fywkuzp.ru | 184 |
| 70.36.107.154 | 7432 | m0.fywkuzp.ru | 135 |
In total, there were 9,874 unique IPs that received responses from the C2s on the C2 port for this particular day. Comparing this with other time intervals, we have observed the total number of unique IPs reach as high as 17,979.
There was speculation in the Deep Instinct analysis that a GeoIP filter was being used by the C2s, since researchers were unable to get a response from C2s in certain geographic areas. We were able to get a response from one of the C2s, 70.36.107.154, from an IP located in a different geographic region. Therefore, it is unclear to us if there is any GeoIP filtering taking place. Below is a heatmap showing the concentration of IPs that communicated with the C2s on the C2 port.
Below are the top 10 countries we observed communicating with the C2 on the C2 port on November 10.
| Country | Number of IPs |
| Iraq | 3,014 |
| Iran | 2,788 |
| Argentina | 2,602 |
| Russia | 1,919 |
| Vietnam | 1,786 |
| China | 1,202 |
| India | 926 |
| Saudi Arabia | 914 |
| Chile | 844 |
| Egypt | 798 |
When the malware receives a response from the C2, it XORs it with the byte 0xDE. The resulting string contains up to two URLs. Each URL contains an IP and a file ending in .gif. Below is the decoded response we received from the C2.
'\xde\xde\xde\xde\xd6http://138.128.150.133/winme.gif\x00\xde\xde\xde\xde\xd9http://138.128.150.133/winext.gif\x00\xde\xde\xde\xde\xd8'
The malware connects to this downloader IP and executes the downloaded file. The two files we saw in the C2 response were PE32 executables. These downloaded files appear to be modified quite frequently. While the sizes are always the same, we observed that the file hashes change approximately every 30 minutes. We have included the below hashes as examples for further industry analysis.
winme.gif (267776 bytes) 4ca8ef5d00bde49659ca97faf2a2a47445e6a3e82c151f18f0923392826d5af0
winext.gif (180224 bytes) b7245ed896cd4199b410a326e1295aafb3e23c3311d301b1cdaf964cf7c008d9
Through collaboration with Kurt Baumgartner at Kaspersky Lab, we believe we can positively identify the second stage payload as the information stealing Khalesi malware. Using a graph analysis technique to find IPs of interest that communicated with a large number of bots, we were able to identify two downloaders. One of the downloaders, 138.128.150.133, is currently very active and was also the one contained in the response we decoded from the C2. VirusTotal confirms this IP as a malware distribution host. All the URLs associated to this IP have similar names to the ones above ending in .gif and are flagged as Khalesi or Zusy malware. This behavior appears as far back as April.
The other downloader, 38.130.218.117, was active until the beginning of the year. The plot below shows the number of connections to both, with a clear transition of infrastructure occurring at the beginning of the year.
By combining different data sources, such as DNS and Netflow, and using unsupervised clustering and graph analysis techniques, CenturyLink Threat Research Labs has been able to track the bots, C2s and downloaders for the Mylobot botnet. This analysis, performed without access to specific malware samples shows the power that network forensics can play in tracking malicious infrastructure. CenturyLink has blocked this infrastructure on our network to mitigate risk to our customers and notified the owners of any components operating within their environments to clean up and protect the global internet.
IOCs
Known C2 Domains and IPs
46.166.173.180
74.222.19.63
70.36.107.38
74.222.19.103
70.36.107.39
217.23.13.62
89.38.98.48
89.39.107.19
89.39.105.82
109.236.85.147
109.236.85.93
217.23.6.62
109.236.85.135
109.236.85.153
217.23.3.15
109.236.85.150
70.36.107.154
75.126.102.251
109.236.87.49
89.38.98.165
109.236.85.21
109.236.85.154
aamsqec.com
aapwdqx.in
aawgiow.biz
acfwftg.com
adbnsrt.me
aekqtdz.org
aemmfiu.cc
afcytwc.com
afgnckn.com
agcdnsk.org
aghpmly.com
agnxomu.com
ahblatp.com
aiejedp.in
aimzxmj.com
ajirkxs.cc
ajqnsrc.com
akjlcbb.com
akpsxcf.com
akscwor.net
alerafn.cc
alidxwr.com
alykwzd.com
amnoboe.com
amrjcad.com
amsdkmt.in
andhttz.com
anksjac.com
antkizk.com
aoofgan.in
aopgwes.cc
apbjhiu.com
apgapmz.biz
apkorcb.com
aqfyrgb.in
aqnepqy.com
aqnlgpx.com
aqokwpj.org
aqphfgh.cc
aqxmfmi.in
aqzwctf.me
ardydzj.in
ashphhp.com
asnycoq.com
asspccy.com
asufqtg.net
asuqjow.in
atfwuia.com
atoifmo.com
atzbggz.com
atznarx.net
aubefwb.net
augplqr.in
awakwuo.net
awdgxjg.com
awgutqp.cc
awsgbxb.net
axikbay.com
aykxbcd.com
aytxmbg.com
azaobrm.com
baouque.me
bbcieyz.net
bbdaowk.com
bbdbwom.com
bbxqxbn.com
bcgzsrx.com
bcolyyp.in
bcpbamn.com
bdhkrzo.net
bdlfrtt.com
bduwxpz.com
bdxykim.com
beokdlr.net
besfalz.com
bfbfkhz.cc
bfrixzs.com
bgcaknx.net
bgmrzxl.me
bgtkuuc.com
bgyunmr.net
bhelhqq.in
bhsexgy.com
bhsfsui.com
bicrxrm.net
biirfry.org
biqbitd.com
bjamaag.org
bjherjm.net
bkoobfl.net
blgujzi.com
blpuwos.biz
bmjzhoy.com
bnwqcxl.com
boazzqu.biz
bolcmuk.net
bosraaa.cc
botbqkh.biz
bpgqgwu.biz
bpjczuy.biz
bpywqfn.cc
bqpthdh.cc
bqrycsh.com
brchily.com
brcttuc.com
brmgkod.com
btbfpuz.com
btytnsr.com
bwmconb.biz
bwqdhue.com
bydnmbu.com
byhmzxm.com
bywycda.net
bzbrwsq.cc
bzeyggq.biz
bzgelji.com
bzjjfrf.org
cafbnqf.org
cbpwhri.me
cbtfylt.me
cceognr.com
ccmebxk.com
ccnmbpx.cc
ccnshks.in
ccxzmma.biz
cdprryx.net
cdyxwya.com
celzwhn.com
ceuhbwj.net
cflefdn.com
cfmxsgh.org
cfopazn.com
cfqryrc.com
channoj.com
chbzsem.com
cijtxig.com
cioufak.org
citfbcb.com
cixfjai.me
cjbjzrn.biz
cjdmbfn.com
cjhthhg.com
cjlheud.com
cjlthgd.com
cjnunpb.net
cjzhqbz.biz
ckjxece.com
cklbjgl.net
cknauue.org
clantln.me
cldbnzm.com
clijdbq.com
clkufmg.me
cnahymy.me
cndfdcu.net
cnoyucn.com
cnqrtay.com
cnusiot.com
cogrjsx.com
cpfsolf.com
cprgggy.in
cqfjzxp.net
crcyiif.com
csdkbuh.com
csekhyk.com
cskhscc.net
csxpzlz.com
ctpugwd.cc
culmkzy.net
cumdoii.me
curxibq.net
curxwrh.net
cwbwlei.com
cwefsaz.com
cwxluaq.com
cxbzucc.in
cxpalfa.com
cygkijf.net
czcgtqi.org
czhilni.com
czlxzql.net
czwaikg.com
dabdtfb.net
dagfzjr.in
dbggepx.com
dbwrtps.com
dcbxlrj.org
dcothzr.biz
dddsorm.me
ddgjwrj.cc
ddjctyf.biz
ddjhlet.biz
ddocmix.com
ddsrubz.com
dfdcjwj.com
dfkkfos.net
dftlmtp.com
dfwpmpm.me
dgeuerk.com
dgpdfxy.net
dgpwxgw.com
djalfei.com
djcxtew.com
djmjwzd.net
dlcmaxq.com
dlfynky.net
dlqmaup.com
dlwmxyd.com
dnkxsay.com
dnxoyku.com
dodbcks.com
doillnj.in
dopxiod.com
dphfhpd.com
dpuayfi.me
dpwqcns.org
dqagyks.com
dqugfga.me
drrfnky.cc
dtchnsu.me
dtljuqw.net
dudccob.in
dufcrun.com
dugheid.com
duwabbh.com
dxqiueu.net
dxzmadd.org
dycdbyk.net
dyopshw.com
dysjtdw.in
dzhyqet.com
dzpacei.me
dzwuxrt.com
eacompz.com
eahqyrh.com
ecdkhxj.com
ecftmll.net
eckyqwb.biz
ecsnmgj.com
edclnay.org
eeakuno.net
eegmqhk.in
eehhbij.in
eemnckg.me
egddlkh.com
egqwdwh.net
egwzuzl.in
ehgeqxn.me
ehmmuub.cc
eicbgmq.com
eiqxhmc.org
eitznua.net
eizcott.in
eizrqdm.com
ejumwfq.biz
ejxqfzs.com
eknjsiu.me
eleaiok.in
emwtlmf.com
ennwaao.biz
enuaepn.biz
eoerkfc.com
epakejl.org
eqesdfs.biz
eqzswxq.com
ercmkzq.cc
erehirz.net
erntxpc.biz
essxwhx.com
estxqdl.in
etqokoh.org
euumwmw.net
euxesgi.com
euygrwb.cc
ewspgaw.cc
exiegzm.org
exrwalq.net
eyjqjpj.me
eypzztn.net
eyskszl.com
ezrkghn.com
ezzpznc.org
fahirqz.biz
fayiadd.com
fbteyne.net
fcglzsx.me
fckoyhl.net
fcryhex.net
fcsyzii.com
fcwhbdf.com
fcyrsbe.com
fegadcn.net
fejydfe.com
feuoadj.biz
ffbfwmj.biz
ffdswwi.com
ffsdtao.com
fjijxch.com
fjpiobz.me
fkjhjnb.com
fkktckb.com
flzcwed.com
fmniltb.com
fmwesgr.com
fnfdjue.com
fnjxpwy.com
fnshrdw.com
fnsitld.in
fofxngn.com
foigwaq.com
fpapfra.com
fpktmtw.com
fptriaj.org
fpwwiem.com
fqnrhrx.biz
fqtbrep.com
frhjtrk.in
ftbupbx.com
fteenfa.cc
fthoaiu.com
ftmuksx.com
ftpiesg.me
ftqalql.org
ftugqid.com
fupppzz.net
fxbmrgm.net
fxlxwxb.net
fxucecy.in
fysauey.me
fywkuzp.ru
fzlbnmm.net
fzypain.com
gaeqkhd.com
gbobrrq.me
gbxswyu.net
gcenjzt.com
gcsrqiy.net
gdeetxd.com
gdgfche.me
gdlsinj.com
gehkfwf.com
gekerie.com
geluhsx.com
geqtaou.biz
gfmmqfa.com
gfpehmx.net
gfyjwdr.com
ggyrlii.biz
ghezfum.com
ghjajna.me
ghludad.com
ghmbjjn.com
ghzqxnm.com
gijnohl.cc
giktmlk.com
giukuxg.me
giuwzmh.net
gjngtcm.net
gjycjdu.com
gkzwzzk.net
glbecnr.com
gmdmpdm.com
gmtdpuo.cc
goaawik.com
goaciqf.com
goccxuw.net
gohlmau.me
gpblzdo.org
gpllaid.com
greqtkj.biz
grsaspj.org
gsjxycs.com
gthdnhx.com
guegyro.com
gumqkle.net
gwoicjd.org
gwoturm.com
gwryfkd.cc
gwtqtsy.com
gwurnyx.biz
gwxitnd.com
gxazatd.com
gyeglsh.cc
gzankeb.com
gzginqi.org
harsnic.biz
hbjwhhn.com
hbrmazu.in
hcatcmd.me
hcbbriu.com
hccohcb.in
hcmcbeu.com
hcmejrf.com
hdmxgll.org
hefxosi.com
herodqa.com
heugeqm.com
hfncugb.com
hfzknql.biz
hgkdndo.in
hhqbikx.com
hidhyef.in
hihrfxy.com
hiixbda.net
hilyudl.in
hiqrgwq.org
hjajzyz.com
hjbotih.cc
hjjorcw.me
hjmbruz.com
hjzosou.com
hkdywjd.in
hkwwrwp.net
hlsbhpf.me
hmyjgpw.net
hnajpls.com
hnjnsfr.com
hnqszgr.biz
hntazys.me
hnwkfmm.com
hoaqbpk.biz
hpeobmp.com
hpqxfes.net
hsoxawm.com
htdenni.org
hubmnyx.org
hwiieod.com
hwzzhlz.com
hxiabno.net
hxpyzdn.com
hyiqppb.com
hywaxgm.com
hzglasg.com
hzkilhz.com
iabgniy.cc
iaerfmr.com
iahnmsj.in
iatuxiz.com
ibdtsff.biz
ibdzief.com
ibpicqg.com
icmkhlh.com
iddzndo.in
idykmzo.com
ietyxrh.biz
iewybck.com
ifmpdod.com
ifxrtcm.com
ifzwmwe.com
igohiao.com
igoxzza.com
igqsnob.me
ihbkbdj.com
ihesocn.com
ihgersr.com
ihmbgfp.net
iimtjwd.com
iisdkda.com
ikfekxi.com
ikgsbac.com
ikhzxwy.in
ilquige.com
imoqhty.me
inkitjf.me
inrwfea.biz
inzgzwn.me
ioalrxm.net
ioamydf.in
iooptqm.com
iowbimu.com
ipgbytl.in
ipsfwrw.com
iqjeetk.com
iqncjxw.com
iqwfmfi.net
irmhpoq.net
irtfzyh.com
itiiuan.in
itnrlax.com
itpkimo.org
itwjrgn.com
itxwspz.net
itzaxrk.biz
iuetoju.com
iwmjrpk.com
iwticym.cc
ixdknwj.org
ixnqjwg.com
iycsbwc.com
iydipho.com
iyeutya.in
iypgdps.com
iypofkc.com
izgbroj.com
izphlan.biz
jagctea.in
jbspqko.biz
jdkwrjb.net
jetbkql.com
jfdfdth.net
jfezcru.cc
jfpfpmd.net
jhaewrm.me
jhpirob.cc
jhzyorn.net
jiawiqf.biz
jimalae.com
jirykbi.org
jjartcm.com
jjipogp.com
jjlgbyd.in
jjmitsd.com
jjnctjd.com
jjwelph.org
jkfuexp.org
jkgncyk.com
jlrylzw.com
jmhwdaa.org
jmqidcg.com
jmqxise.in
jmspwbp.com
jnmdymn.com
jnucpww.net
jodzcxi.com
joeahbq.net
joetqhf.com
joparpd.com
josfmmq.com
jpgfsiu.biz
jqizuas.com
jqjfomk.com
jqlwhsl.com
jqpgxwl.in
jqphuor.in
jqpnnib.com
jqzrapc.com
jqzssja.com
jrkhnqs.com
jrwykxk.com
jsdqdtj.org
jsoderz.com
jsojybj.net
jsqahgh.com
jtalnib.com
jtumdod.com
juukwez.me
jwjcmah.net
jwkqljr.com
jwxofdp.in
jwzsiit.net
jxikhzp.com
jxmlznf.cc
jxpgogd.com
jyxuwax.com
jzlerit.net
jzzoozd.in
kcmpifh.com
kcurbjo.com
kdlclkh.cc
kecwpwu.org
kezkkks.cc
kfpirfg.in
kfxtjzb.biz
khasffr.com
khbutla.cc
khbwzzt.biz
kheytkh.biz
khrebez.com
kiajrcx.com
kitfndb.com
kitxezl.com
kjecppw.cc
kjkdkpj.net
kjoodmh.net
kkaruca.com
kkswpzh.com
klexmkp.com
klrecbw.com
klrfyid.cc
knkyszc.com
knzuwpl.com
koonbqw.com
kozuxqd.biz
kpkzatj.net
kpljbsi.com
kpnjxjh.in
kprnpfi.biz
kpzgczu.net
krcmcmp.com
ksotdcm.cc
kstpcri.org
ksulzbr.com
ktlegmh.com
ktslzhn.com
kuilzqn.com
kuwgxyk.com
kxoxpdw.in
kxttpxp.com
kxwfayj.me
kygixed.me
kymtojq.com
kypnlaa.in
kyyepzh.com
lbkalko.com
lbljgxy.cc
lcjpudf.com
lcptjbn.com
lcsnhgl.com
lcxeyzb.biz
ldjfifi.com
ldwubwd.me
ldxtzjo.com
lefefdg.org
leibqdu.in
lfkjkqh.cc
lfpoolp.biz
lgdlgqy.com
lgnmegh.cc
lgtqugq.com
lgzoido.me
lhajdxx.com
lhsjtcl.com
lhydyta.com
lhyklwh.com
ljnbyzo.net
ljxdqzu.com
ljzpnbc.com
lkubdog.net
lnjkisb.com
lnwugnr.com
locrxea.net
logibrj.com
loqiqat.net
loqnaol.cc
louqzrf.com
lpxlcfw.org
lqfsnws.cc
lqjicwi.com
lqmnwoq.cc
lqsuuke.cc
lsamkrs.com
lsmdgkn.net
lupqxal.org
lwbojdn.com
lwqrwys.in
lwrwkyd.in
lxfibrc.cc
lxwaccq.in
lzafhej.biz
lzcxzes.com
lzkjchn.me
lzpbfmc.in
lzxemfc.com
maabilo.com
mabiaje.me
mamhwke.me
mbdntre.biz
mbksjzr.org
mcidddh.biz
mdcqrxw.com
mdhrfnx.com
mdjedmj.com
mdjlugj.biz
mdxxuif.me
meayart.com
mecbtbw.com
meshzxe.com
mfpbdbc.org
micposd.cc
mihribb.com
mixrlnl.com
mjmhchi.org
mjnmipr.com
mjyaxjr.in
mkeamjf.com
mkerxwn.com
mkfooxg.org
mkgdmpp.in
mkqrmbz.me
mleiwkb.net
mlhxekq.com
mljwibu.cc
mmnpzcp.com
mmrpyku.me
mngbqpz.cc
mnoohua.com
mnykjui.com
mnyqckl.com
mosaefr.cc
motugqw.net
mpcotwy.com
mqnrqbl.in
mqwbebx.com
msjbsiq.com
msnjizy.com
mtcmilr.net
mthsbsq.net
mtwumhu.me
muaejwt.com
muhkpyk.in
mutqwqm.biz
muuiaxf.com
muzrojw.org
mwjlyzj.com
mwlzwwr.biz
mwoapjj.com
mxkrorx.cc
mxsbgyh.cc
mxybawp.cc
myfylks.com
mygceqd.com
myjraqu.net
mynfwwk.com
myylfuf.in
mzrpnxe.biz
naaflwc.cc
napjsdy.com
nbedwwb.in
nbnxlgf.net
nbwwzxe.com
ncjaxwj.com
nclttox.in
ncnijgb.com
ncrejzk.net
nctpkes.com
ndbiier.org
ndctmns.com
nealriz.com
nefqoef.com
neksmnp.com
neuauua.com
nfclmca.me
nflotan.cc
nhlqfaf.com
nhpyige.cc
nilqdqh.com
nimazxz.com
njdpqim.net
njiqnig.com
nkksufy.net
nlnbkdu.in
nmcfaul.org
nmpiido.org
nnbqgxo.cc
nnqjjyp.me
nnryeuh.me
noibocl.com
notwljg.com
nqguhil.com
nqwpgxf.net
nsudurh.com
nsuyguf.com
nsziung.me
Trending Now
What Your IT Department Needs to Know about SIP Trunking
You may also like
