• Home
  • About Us
  • Amazon Affiliate Disclaimer
    • Cookie Policy
    • Terms of Use
  • tech and gaming
  • World Tech
  • Sitemap

goto11.net

Tech gear reviews and guide

  • Home
  • About Us
  • Amazon Affiliate Disclaimer
    • Cookie Policy
    • Terms of Use
  • tech and gaming
  • World Tech
  • Sitemap

Muhstik botnet adds Oracle WebLogic and Drupal exploitsSecurity Affairs

December 12, 2020 by tuio

The Muhstik-botnet uses well-known web applications to compromise IoT devices, now focused on Oracle WebLogic, Drupal.

Muhstik is a botnet known to use web applications to compromise IoT devices. That was around 2018.

Botnet operators earn their efforts through XMRig, cgmining and DDoS rentals.

The botnet uses IRC servers for communication in the command and control area (C2). Experts have found that it has been using the same infrastructure since it first appeared in the threat landscape.

The bot spreads by compromising the home routers, but experts have seen many attempts to abuse the Linux server. The list of target routers includes the GPON home router, the DD-WRT router and the Tomato router.

According to researchers from Lacework, a company specialising in cloud security, Muhstik operators have added web applications for Drupal and Weblogic to their robot.

The bot contains exploits for Oracle WebLogic Server vulnerabilities CVE-2019-2725 and CVE-2017-10271 and a Drupal RCE vulnerability, which is monitored as CVE-2018-7600.

The researchers of Lacework analysed Mohstik-Bot’s chain of attack.

In the first phase of an attack, the payload loads the other elements. The payload is called pty, followed by the number used to indicate the architecture. Below are some examples of download URLs:

  • hxxp://159.89.156.190/.y/pty2
  • hxxp://167.99.39.134/.x/pty3

After a successful installation Mustik will contact the IRC channel to receive orders. (For more information about the Muhstik log, see Posting in the Sub-Execution). Normally Muhstic receives instructions for charging the XMRmrig miner and scan module. The scan module is used to extend a botnet by addressing other Linux servers and home routers.

The main payload and the Mohstik botnet scanner encrypt their configurations with the Mirai source code using a single-byte XOR 0x22.

The configuration that is decoded for the Muhstik Scan Module has common settings that are the same for different Mirai based botnets.

Analysis of the botnet’s attack infrastructure revealed a number of interesting correlations. IRC C2 irc.de-zahlung.eu shared an SSL certificate with jaygame.net, an amateur site about a game with an anime character named Jay. Currently, the website uses the ID UA-120919167-1 from Google Analytics, the reverse search of Google Analytics has identified the following 3 areas with the same ID:

Two other domains related to the analytical identifier (ffly.su and kei.su) are also configured in C2 for several other Linux tsunami malware linked to the same infrastructure. If the infrastructure is managed by a single attacker, we can assume that this is related. This associated infrastructure gave a reference to what Lacework’s Wasp 8220 was called. This set of activities was related to other cryptomization options and Linux backdoors. All have links to the same malware download path, which is owned by Shen Zhou Wang Yun Information Technology Co. of China, Ltd.

Muhstic communication infrastructure

Top researchers have linked the Muhstik Botnet to Shen Zhou Wang Yun Information Technology Co, Ltd, a Chinese forensic medicine company.

The experts also noted that the original malware samples were uploaded to VirusTotal just before Muhstic was released into the wild.

The examples contain different lines mentioning Shenzhouwangyun, z. B. in /home/wys/shenzhouwangyun/shell/downloadFile/tomato.deutschland-zahlung.eu_nvr, indicating that the malware was developed by Shen Zhou Wang Yun.

The work on the side has also yielded updated figures on the Compromises (CIO) related to the recent attacks.

Pierluigi Paganini

(Security issues – Hacking, Botnet)

 

Part

 

Related Tags:

Filed Under: tech and gaming

About tuio

Recent Posts

  • Logitech Gaming Software User Guide 2021
  • Surface Pro won’t connect to the iPhone’s hotspot
  • Are you sure you want to leave this page?
  • Learn To Use Multiple Apps On Your Windows
  • The 13 Best Cell Phone Companies List in 2021
  • Windows 10 laptop battery drains very fast after update? Apply these tips
  • Best Free and paid parental control apps for iPad 2020
  • Divi by Elegant Themes Review 2020
  • How to boot Apple Mac M1 in Recovery Mode [Definitive Guide]
  • Android: Create a toggle button with image and no text –
  • PANIC: Cannot find AVD system path. Please define ANDROID_SDK_ROOT (in windows 10) –
  • How to Transfer Files Between Two Computers Using LAN Cable
  • Best Remote Cell Phone Spy Software Without Target Phone
  • Best Ways To Tackle Windows 10 Num Lock Issues With Ease
  • Python Machine Learning Third Edition: Book Review

Copyright © 2023 ยท GoTo11.net