Lacework: New information on the activities of the Muhstik botnet

The Muhstik botnet, known as Mushtik, is a botnet that targets cloud infrastructure and IoT Appliances for years. Its development is based on funding resulting from cryptomining (which is done using open source tools, such as XMRig and cgminer).

Here are some new facts about Muhstik botnet and its activities.

First, what is Muhstik;

Muhstik is a botnet that uses known vulnerabilities for infringement IoT devices, for the purpose of cryptomining.

It also uses IRC servers for its command-and-control (C2) activities.

The Muhstik botnet appeared in 2018, but in December 2019 the Palo Alto Networks has identified a new botnet variant that targets Tomato routers.

According to experts, the Muhstik botnet is being exploited vulnerabilities, like the Oracle WebLogic Server bugs, CVE-2019-2725 and CVE-2017-10271, and RCE error in Drupal, CVE-2018-7600.

The company Lacework gives more information about Muhstik botnet:

A Muhstik attack is executed on many stages.

In the first stage, it is done download a payload file (with the name "pty" and a number) by server of the intruder. Lacework also provided some examples of URLs:

• hxxp: //159.89.156.190/.y/pty2
• hxxp: //167.99.39.134/.x/pty3

"After successful installation, Mushtik will contact the IRC channel to receive ordersSays Chris Hall, security researcher at Lacework.

IRC servers are the C2 infrastructure powered by the Muhstik botnet.

In most cases, Muhstik downloads XMRrig miner and a scan module. The scan is done for botnet development by targeting other Linux servers and home routers.

In addition, according to them researchers, Muhstik uses source code of Mirai to encrypt payload and scan module configurations via single-byte XOR encryption.

As for its origin botnet, Hall said: "IRC C2 irc.de-zahlung.eu was found to be sharing an SSL cert with jaygame.net".

"Jaygame.net is an amateur site for a game that includes an Anime character named "Jay". The site is currently using Google Analytics ID UA-120919167-1".

However, the anyone (even a cyber criminal) can include a Google Analytics ID of a legitimate website on his own site.

Another domain with anime references, used by Muhstik, is pokemoninc.com.

Watching other such data, Lacework believes the Muhstik botnet is most likely linked to a Chinese one company and specifically the Shen Zhou Wang Yun Information Technology Co.

According to the researchers, the original samples malware were uploaded to VirusTotal before the attacks of Muhstik.

These samples had many strings referring to "shenzhouwangyun", (eg /home/wys/shenzhouwangyun/shell/downloadFile/tomato.deutschland-zahlung.eu_nvr), which indicates that Shen Zhou Wang Yun is most likely the malware creator.