Mushtik IoT Botnet Targets Popular Cloud Servers

What you need to know

• The Muhstik gang has a multi-layered attack strategy that importantly involves a payload named pty that helps downloads other malicious components and then contacts IRC servers—the botnet’s C2 infrastructure—to receive commands.
• Muhstik has been using the XMRmrig miner and scanning modules to target other Linux servers and home routers, along with Mirai source code to encrypt the configurations of its payload and scanning module.
• Its primary method of propagation is via home routers such as GPON home router, DD-WRT router, and Tomato router.
• Muhstik has actively exploited web application exploits in Oracle WebLogic Server bugs (CVE-2019-2725 and CVE-2017-10271) and Drupal RCE flaw (CVE-2018-7600).

Worth noting

• The botnet has been found to be linked to a Chinese forensics firm Shen Zhou Wang Yun Information Technology Co., Ltd.
• Other notable characteristics in Muhstik malware and infrastructure include the use of a Google Analytics ID and references to anime character ‘Jay’ from a game at Jaygame.net.

Recent botnet attacks on IoT devices

• Last month, a botnet named HEH was being distributed with the capabilities to wipe all data from infected systems, such as routers, servers, and IoT devices.
• InterPlanetary Storm malware operators had released a new variant to target IoT devices located in 84 different countries around the world.

Security tips