​A new variant of Muhstik botnet leverages the latest WebLogic Server vulnerability for propagation

• The vulnerability is tracked as a deserialization vulnerability and has been assigned CVE-2019-2725.
• The vulnerability impacts the versions 10.3.6.0.0 and 12.1.3.0.0 of WebLogic Server.

Security researchers have discovered a new variant of the Linux Muhstik botnet that spreads by exploiting the latest WebLogic server vulnerability. The vulnerability is tracked as a deserialization vulnerability and has been assigned CVE-2019-2725.

About the flaw

The vulnerability in question impacts the versions 10.3.6.0.0 and 12.1.3.0.0 of WebLogic Server. Successful exploitation of the vulnerability can allow an unauthenticated attacker with network access via HTTP to take over the Oracle WebLogic Server. The flaw has been given a rating of 3 on the Common Vulnerability Scoring System.

About Muhstik botnet

The Muhstik botnet has been around since March 2018. It includes the wormlike self-propagating capability to infect Linux servers and IoT devices. Once launched, the botnet downloads cryptomining malware to steal cryptocurrencies. The botnet is also capable of launching DDoS attacks.

According to Palo Alto Networks’ Unit 42 researchers, the botnet has leveraged multiple vulnerabilities in the past to infect different Linux services.

“Muhstik has used multiple vulnerability exploits to infect different Linux services, including WebLogic, WordPress and Drupal. Muhstik had previously adopted an earlier WebLogic vulnerability exploit (CVE-2017-10271), but adding this exploit to its toolkit will increase the number of systems it can infect,” said researchers in a blog post.

Discovery of the new Muhstik sample

The researchers used a tool named WildFire Linux analyzer to capture malicious traffic from three new Mushtik samples. It was found the new sample received commands from a particular IP address - 165.227.78[.]159.

“The exploit payload only includes one shell command to download the wl.php from the IP address 165.227.78[.]159. Even though the wl.php cannot be downloaded successfully currently, we believe that it is very likely to be a PHP webshell. The IP address 165.227.78[.]159 previously was used by Mushtik botnet as a reporting server to collect information of bots. But now, this IP address could be also used as a payload host server,” researchers noted.

How to stay safe?

Oracle has released a security advisory for the vulnerability. Make sure to follow the instructions in order to avoid falling victim to the attack. Furthermore, researchers claim that there is a high possibility that the vulnerability can be exploited by other malware families in the future.