A new report provides some details on activities and origins of the Muhstik botnet, which has been around since at least 2018. The Muhstik botnet is known to use web application exploits to compromise IoT devices, which, according to researchers from cloud security firm Lacework, include those for Oracle WebLogic and Drupal.
Attackers behind the botnet fund their operation by mining cryptocurrency with the help of such tools as XMRig and cgmining, and also by providing DDoS-for-hire services.
Muhstik leverages IRC for its command and control and has consistently used the same infrastructure since its first appearance on the threat landscape. The botnet mainly spreads via home routers such as GPON home routers, DD-WRT routers, and the Tomato router. However, there are multiple attempted exploits for Linux server propagation, the researchers said.
A typical Muhstik attack involves several stages, with the beginning stage being a payload dubbed “pty” used to download other components. Once installed, the Muhstik malware will contact the IRC channel to receive commands to download an XMRmrig miner and a scanning module. The latter is used for growing the botnet through targeting other Linux servers and home routers.
The investigation into Muhstik’s attack infrastructure revealed some interesting correlations. IRC C2 irc.de-zahlung.eu shared an SSL cert with site jaygame.net, which is an amateur site about a game involving an Anime character named ‘Jay’. The site is currently leveraging Google Analytics ID UA-120919167-1, a reverse Google Analytics search exposed 3 domains with records for the same ID (jaygame.net, fflyy.su, and kei.su).
“The two other domains linked to the analytics ID (ffly.su and kei.su) were also configured as C2s for various other Linux Tsunami malware linked to the same infrastructure. If the infrastructure is administered by a single attacker then we can presume it’s related,” the researchers noted.
“This related infrastructure has allowed possible attribution to what Lacework has dubbed “Wasp 8220”. This set of activity has been tied to other cryptomining variants and Linux backdoors . These all have links to the same malware upload path belonging to Chinese forensics firm Shen Zhou Wang Yun Information Technology Co., Ltd,” they added.
In the past, Shen Zhou Wang Yun Information Technology was linked by Intezer researchers to the HiddenWasp Linux malware.
According to Lacework, the original malware samples were uploaded to VirusTotal all at once before Muhstik attacks were observed in the wild.