In our first blog post, we explained DGA evasion techniques and discussed different methods for detecting DGA-based malware. We also elaborated on our own solution, a deep learning neural network that predicts over Akamai's extensive DNS traffic. A solution that currently autonomously blocks more than 70 million DNS requests daily, with very low positive rate. Another exciting aspect of this system was the detection of thus far undetected botnets, with one specific botnet shining through.
The moment the detection algorithm was deployed, an unfamiliar botnet started coming up on our security events. This botnet was generating more DNS traffic than all of the other botnets currently tracked on Akamai's platform. It's called Mylobot.
To showcase the high amount of DNS traffic being generated by Mylobot, figure 1 describes the number of DNS queries being made to its command and control servers (C&C) over time. At its lowest point, Mylobot was issuing more than 200 Million DNS queries a day to the Akamai network, which is 200 times more than Pykspa, the second noisiest botnet. At its peak - 1.2 billion requests.
Fig 1: Amount of DNS queries made to Mylobot C&C domains as observed on Akamai's platform.
Mylobot's infection rate is also observable via Akamai's traffic visibility (figure 2), showcasing at least double the infections over the past year. The reason it is at least double is that some of the entities observed are enterprises, which can equate to thousands of computers behind the gateway.
Fig 2: Amount of infected entities by Mylobot, as seen on Akamai's platform
Due to Mylobot's prominence in our traffic, Akamai's security researchers started looking into the botnet and found a new kind of DGA. This observed malware was described as a downloader and can be seen downloading a payload called Khalesi. The modularity of this malware means it can essentially deliver whatever payload the attacker desires.
The pattern of Mylobots communication is described in figure 3, according to reports made by Deep Instinct and CenturyLink. It should be noted that in these reports, the magnitude of danger this botnet poses was made clear, as it is using a variety of advanced evasion techniques, and it has been connected to second stage malware with various dangerous activities.
Fig 3: Scheme of "Mylobots" traffic behavior according to Deep Instinct and CenturyLink
Our system detected about 1,400 domains related to what is portrayed in stage 1, querying "m8.zdrussle.ru".In fact, this stage includes querying thousands of DNS queries to domain names following the pattern:
m<number between 0 and 43>.<domain generated by a DGA>.com|in|biz|org|net|me|cc|ru
While this specific pattern was already reported, our system detected three more patterns, and about 6,500 more domains that were never reported. We assigned them all to the same DGA, to what we understand to be four different variants of the same malware. We'll name each variant by its prefix, i.e. - M variant, X variant, Green variant, and V1 variant.
Fig 4: Four different DGA patterns all associated with Mylobot as detected by Akamai's Enterprise Security team.
After seeing the connection between these variants in traffic and the similarity between the patterns, we started to look into the infrastructure of these variants in order to prove and determine whether there is also a connection between the IPs and communicating files of this operation. If there is a connection between the different servers hosting these variants, we would be convinced of the connection between these variants, which was originally found by our system based on DNS traffic alone.
The following images depict an investigation into the infrastructure using VirusTotal. Every blue globe represents a domain name; every flag represents an IP address and the corresponding country flag of the ASN it's hosted on; and every red file represents a file that's been observed communicating to that IP and detected as malicious.
The images showcase domains from different variants communicating to the same IP addresses. Moreover, some shared malicious files communicate to IP addresses that are not shared by the variants. This means we've found connections between the observed variants in both IP addresses and malicious files.
Figures 5,6,7: Analyzing the infrastructure of Mylobot to identify connections of the four different variants using VirusTotal.
These findings convinced us that the four different variants are indeed all connected to the same operation, just as we suspected and as our system detected. The IOCs detected by our system and are related to the operation described above are listed below and are provided to defenders in order to assist in mitigating this malicious threat.
To summarize, the Mylobot botnet is growing, and we have seen demonstrative proof of this. Combine this growth with the fact that Mylobot is often a downloader for a larger campaign, and you have a massive threat that defenders should take care to neutralize as quickly as possible. However, the full effect of this operation isn't entirely clear from the DNS perspective. To that end, we are hopeful that the provided IOCs are helpful to those working on mitigation efforts.