Muhstik bots

IoT botnet operators keep expanding their arsenal by adding new scanners and exploits to harvest new IoT devices. One such popular botnet Muhstik, also known as Muhstik, has been observed targeting cloud infrastructures by leveraging several web application exploits.

What you need to know

• The Muhstik gang has a multi-layered attack strategy that importantly involves a payload named pty that helps downloads other malicious components and then contacts IRC servers—the botnet’s C2 infrastructure—to receive commands.
• Muhstik has been using the XMRmrig miner and scanning modules to target other Linux servers and home routers, along with Mirai source code to encrypt the configurations of its payload and scanning module.
• Its primary method of propagation is via home routers such as GPON home router, DD-WRT router, and Tomato router.
• Muhstik has actively exploited web application exploits in Oracle WebLogic Server bugs (CVE-2019-2725 and CVE-2017-10271) and Drupal RCE flaw (CVE-2018-7600).

Worth noting

• The botnet has been found to be linked to a Chinese forensics firm Shen Zhou Wang Yun Information Technology Co., Ltd.
• Other notable characteristics in Muhstik malware and infrastructure include the use of a Google Analytics ID and references to anime character ‘Jay’ from a game at Jaygame.net.

Security tips

Experts recommend that users should be cautious when installing open-source firmware and pay attention to security updates and maintenance patches necessary to keep devices safeguarded. In addition, regular scans and instant patches for vulnerabilities are advisable.