The Muhstik-botnet uses well-known web applications to compromise IoT devices, now focused on Oracle WebLogic, Drupal.
Muhstik is a botnet known to use web applications to compromise IoT devices. That was around 2018.
Botnet operators earn their efforts through XMRig, cgmining and DDoS rentals.
The botnet uses IRC servers for communication in the command and control area (C2). Experts have found that it has been using the same infrastructure since it first appeared in the threat landscape.
The bot spreads by compromising the home routers, but experts have seen many attempts to abuse the Linux server. The list of target routers includes the GPON home router, the DD-WRT router and the Tomato router.
According to researchers from Lacework, a company specialising in cloud security, Muhstik operators have added web applications for Drupal and Weblogic to their robot.
The bot contains exploits for Oracle WebLogic Server vulnerabilities CVE-2019-2725 and CVE-2017-10271 and a Drupal RCE vulnerability, which is monitored as CVE-2018-7600.
The researchers of Lacework analysed Mohstik-Bot’s chain of attack.
In the first phase of an attack, the payload loads the other elements. The payload is called pty, followed by the number used to indicate the architecture. Below are some examples of download URLs:
- hxxp://159.89.156.190/.y/pty2
- hxxp://167.99.39.134/.x/pty3
After a successful installation Mustik will contact the IRC channel to receive orders. (For more information about the Muhstik log, see Posting in the Sub-Execution). Normally Muhstic receives instructions for charging the XMRmrig miner and scan module. The scan module is used to extend a botnet by addressing other Linux servers and home routers.
The main payload and the Mohstik botnet scanner encrypt their configurations with the Mirai source code using a single-byte XOR 0x22.
The configuration that is decoded for the Muhstik Scan Module has common settings that are the same for different Mirai based botnets.
Analysis of the botnet’s attack infrastructure revealed a number of interesting correlations. IRC C2 irc.de-zahlung.eu shared an SSL certificate with jaygame.net, an amateur site about a game with an anime character named Jay. Currently, the website uses the ID UA-120919167-1 from Google Analytics, the reverse search of Google Analytics has identified the following 3 areas with the same ID:
Two other domains related to the analytical identifier (ffly.su and kei.su) are also configured in C2 for several other Linux tsunami malware linked to the same infrastructure. If the infrastructure is managed by a single attacker, we can assume that this is related. This associated infrastructure gave a reference to what Lacework’s Wasp 8220 was called. This set of activities was related to other cryptomization options and Linux backdoors. All have links to the same malware download path, which is owned by Shen Zhou Wang Yun Information Technology Co. of China, Ltd.
Top researchers have linked the Muhstik Botnet to Shen Zhou Wang Yun Information Technology Co, Ltd, a Chinese forensic medicine company.
The experts also noted that the original malware samples were uploaded to VirusTotal just before Muhstic was released into the wild.
The examples contain different lines mentioning Shenzhouwangyun, z. B. in /home/wys/shenzhouwangyun/shell/downloadFile/tomato.deutschland-zahlung.eu_nvr, indicating that the malware was developed by Shen Zhou Wang Yun.
The work on the side has also yielded updated figures on the Compromises (CIO) related to the recent attacks.
Pierluigi Paganini
(Security issues – Hacking, Botnet)
Part
Related Tags:
