Saturday, January 16, 01:12
Home security Lacework: New information on the activities of the Muhstik botnet

Lacework: New information on the activities of the Muhstik botnet

The Muhstik botnet, known as Mushtik, is a botnet that targets cloud infrastructure and IoT Appliances for years. Its development is based on funding resulting from cryptomining (which is done using open source tools, such as XMRig and cgminer).

Here are some new facts about Muhstik botnet and its activities.

Muhstik botnet

First, what is Muhstik;

Muhstik is a botnet that uses known vulnerabilities for infringement IoT devices, for the purpose of cryptomining.

It also uses IRC servers for its command-and-control (C2) activities.

The Muhstik botnet appeared in 2018, but in December 2019 the Palo Alto Networks has identified a new botnet variant that targets Tomato routers.

According to experts, the Muhstik botnet is being exploited vulnerabilities, like the Oracle WebLogic Server bugs, CVE-2019-2725 and CVE-2017-10271, and RCE error in Drupal, CVE-2018-7600.

The company Lacework gives more information about Muhstik botnet:

A Muhstik attack is executed on many stages.

In the first stage, it is done download a payload file (with the name "pty" and a number) by server of the intruder. Lacework also provided some examples of URLs:

  • hxxp: //
  • hxxp: //

"After successful installation, Mushtik will contact the IRC channel to receive ordersSays Chris Hall, security researcher at Lacework.

IRC servers are the C2 infrastructure powered by the Muhstik botnet.

In most cases, Muhstik downloads XMRrig miner and a scan module. The scan is done for botnet development by targeting other Linux servers and home routers.

In addition, according to them researchers, Muhstik uses source code of Mirai to encrypt payload and scan module configurations via single-byte XOR encryption.

As for its origin botnet, Hall said: "IRC C2 was found to be sharing an SSL cert with".

" is an amateur site for a game that includes an Anime character named "Jay". The site is currently using Google Analytics ID UA-120919167-1".

However, the anyone (even a cyber criminal) can include a Google Analytics ID of a legitimate website on his own site.

Another domain with anime references, used by Muhstik, is

Watching other such data, Lacework believes the Muhstik botnet is most likely linked to a Chinese one company and specifically the Shen Zhou Wang Yun Information Technology Co.

According to the researchers, the original samples malware were uploaded to VirusTotal before the attacks of Muhstik.

These samples had many strings referring to "shenzhouwangyun", (eg /home/wys/shenzhouwangyun/shell/downloadFile/tomato.deutschland-zahlung.eu_nvr), which indicates that Shen Zhou Wang Yun is most likely the malware creator.


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortress
Pursue Your Dreams & Live!


Android: How to see which apps have access to your site

It's no secret that smartphone apps have access to many permissions - if you let them. It is important to make sure ...

Canon lets you take pictures from space

Instead of releasing new cameras for CES 2021, Canon is doing something different: It lets you take pictures from space ....

Wikipedia vs Big tech: Who fights misinformation?

As Election Day turned into US Election Week, Facebook, Twitter and YouTube were trying to prevent ...

Tesla: It is called to recall cars due to problematic screens

The touch screen in some Tesla cars seems to have a problem, which could ...

Ransomware is responsible for half of all data breaches in hospitals

Almost half of the data breaches committed in hospitals and the wider healthcare sector are due to ransomware attacks, ...

Astronomers have just found the oldest oversized black hole

A quasar was discovered in a dark corner of space - over 13,03 billion light-years away - and contains a ...

What are the best and most affordable 5G phones for 2021

The market will soon be flooded with mid-range 5G devices. Everything that happens will be really exciting: you will be able to ...

Verified Twitter accounts in a cryptocurrency scam with the name of Elon Musk violated!

Lately, hackers have been violating verified Twitter accounts in a cryptocurrency giveaway scam, in which the name of the CEO is used ...

Classiscam: Fraudsters "fake" brands and deceive users of European markets!

Dozens of criminal gangs publish fake ads in popular online markets, to attract unsuspecting users to "fraudulent" commercial sites or phishing ...

iOS 14.4: Displays a notification for repairs with non-genuine cameras

Starting with the iPhone 11, Apple has added a notification to iOS that tells the user when the device has a ...