12 November 2020

Muhstik botnet uses Oracle WebLogic, Drupal flaws to compromise IoT devices


Muhstik botnet uses Oracle WebLogic, Drupal flaws to compromise IoT devices

A new report provides some details on activities and origins of the Muhstik botnet, which has been around since at least 2018. The Muhstik botnet is known to use web application exploits to compromise IoT devices, which, according to researchers from cloud security firm Lacework, include those for Oracle WebLogic and Drupal.

Attackers behind the botnet fund their operation by mining cryptocurrency with the help of such tools as XMRig and cgmining, and also by providing DDoS-for-hire services.

Muhstik leverages IRC for its command and control and has consistently used the same infrastructure since its first appearance on the threat landscape. The botnet mainly spreads via home routers such as GPON home routers, DD-WRT routers, and the Tomato router. However, there are multiple attempted exploits for Linux server propagation, the researchers said.

Some of the vulnerabilities targeted by Muhstik include Oracle WebLogic Server issues (CVE-2019-2725 and CVE-2017-10271) and Drupal RCE flaw (CVE-2018-7600).

A typical Muhstik attack involves several stages, with the beginning stage being a payload dubbed “pty” used to download other components. Once installed, the Muhstik malware will contact the IRC channel to receive commands to download an XMRmrig miner and a scanning module. The latter is used for growing the botnet through targeting other Linux servers and home routers.

The investigation into Muhstik’s attack infrastructure revealed some interesting correlations. IRC C2 irc.de-zahlung.eu shared an SSL cert with site jaygame.net, which is an amateur site about a game involving an Anime character named ‘Jay’. The site is currently leveraging Google Analytics ID UA-120919167-1, a reverse Google Analytics search exposed 3 domains with records for the same ID (jaygame.net, fflyy.su, and kei.su).

“The two other domains linked to the analytics ID (ffly.su and kei.su) were also configured as C2s for various other Linux Tsunami malware linked to the same infrastructure. If the infrastructure is administered by a single attacker then we can presume it’s related,” the researchers noted.

“This related infrastructure has allowed possible attribution to what Lacework has dubbed “Wasp 8220”. This set of activity has been tied to other cryptomining variants and Linux backdoors . These all have links to the same malware upload path belonging to Chinese forensics firm Shen Zhou Wang Yun Information Technology Co., Ltd,” they added.

In the past, Shen Zhou Wang Yun Information Technology was linked by Intezer researchers to the HiddenWasp Linux malware.

According to Lacework, the original malware samples were uploaded to VirusTotal all at once before Muhstik attacks were observed in the wild.

Back to the list

Latest Posts

Belden reveals data breach affecting current and former employees, business partners

Belden reveals data breach affecting current and former employees, business partners

The stolen information may have included names, birthdates, government-issued identification numbers, and bank account information.
26 November 2020
Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

The data dump contains usernames, passwords, access levels, and the original unmasked IP addresses of users connected to the VPNs.
26 November 2020
FBI warns of spoofed FBI-related websites

FBI warns of spoofed FBI-related websites

Spoofed domains and email accounts could be used by foreign actors and cybercriminals to spread false information, deliver malware, or collect sensitive data.
25 November 2020