Pierluigi Paganini
November 11, 2020
Muhstik is a botnet that is known to use web application exploits to compromise IoT devices, it has been around for at least 2018.
Botnet operators monetize their efforts via XMRig, combined with DDoS-for-hire services.
The botnet leverages IRC servers for command-and-control (C2) communications, experts noticed that it has consistently used the same infrastructure since it first appeared in the threat landscape.
The bot propagates by compromising home routers, but experts observed multiple attempted exploits for Linux server propagation. The list of targeted routers include GPON home router, DD-WRT router, and the Tomato router.
According to researchers from cloud security firm Lacework, Muhstik operators added Web application exploits for Drupal and Weblogic to their bot.
The bot includes exploits for Oracle WebLogic Server vulnerabilities CVE-2019-2725 and CVE-2017-10271, and the Drupal RCE flaw tracked as CVE-2018-7600.
Researchers from Lacework have analyzed the attack chain implemented by the Muhstik bot.
In the first stage of the attack, a payload downloads the other components. The payload is named “pty” followed by a number used to map the architecture. Below some download URL examples:
“Upon successful installation Mushtik will contact the IRC channel to receive commands. (For more details on the Muhstik protocol, refer to the write up by Subexsecure). Usually Muhstik will be instructed to download an XMRmrig miner and a scanning module.” reads the analysis published by the researchers. “The scanning module is used for growing the botnet through targeting other Linux servers and home routers.”
The main payload and the scanning module of the Muhstik botnet encrypt their configurations using the Mirai source code which employs a single byte XOR of 0x22.
The decoded configuration for the Muhstik scanning module has common settings that are common to multiple Mirai-based botnets.
The analysis of the botnet’s attack infrastructure exposed some interesting correlations. IRC C2 irc.de-zahlung.eu shared an SSL cert with site jaygame.net, which is an amateur site about a game involving an Anime character named ‘Jay’. The site is currently leveraging Google Analytics ID UA-120919167-1, a reverse Google Analytics search exposed the following 3 domains using the same ID:
“The two other domains linked to the analytics ID (ffly.su and kei.su) were also configured as C2s for various other Linux Tsunami malware linked to the same infrastructure. If the infrastructure is administered by a single attacker then we can presume it’s related.” states the analysis. “This related infrastructure has allowed possible attribution to what Lacework has dubbed “Wasp 8220”. This set of activity has been tied to other cryptomining variants and Linux backdoors . These all have links to the same malware upload path belonging to Chinese forensics firm Shen Zhou Wang Yun Information Technology Co., Ltd. “
Lacework researchers linked the Muhstik botnet to the Chinese forensics firm Shen Zhou Wang Yun Information Technology Co., Ltd.
Experts also observed that original malware samples were uploaded to VirusTotal all at once before Muhstik was spreading in the wild.
The samples contained multiple strings mentioning “shenzhouwangyun,” such as in /home/wys/shenzhouwangyun/shell/downloadFile/tomato.deutschland-zahlung.eu_nvr a circumstance that suggests that the malware was developed by Shen Zhou Wang Yun.
Lacework also shared up to date Indicators of Compromise (IOCs) for the recent attacks.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, botnet)
[adrotate banner=”5″]
[adrotate banner=”13″]
