Muhstik Malware
The Muhstik botnet, notorious for its distributed Denial-of-Service (DDoS) attacks, has been spotted exploiting a recently patched vulnerability in Apache RocketMQ. This exploit allows Muhstik to hijack vulnerable servers, enhancing its network's reach and impact. Muhstik, a longstanding menace, specializes in targeting IoT (Internet-of-Things) devices and Linux servers. It's infamous for its proficiency in infecting devices, utilizing them for cryptocurrency mining, and orchestrating DDoS assaults.
Table of Contents
The Muhstik Botnet Exploits Software Vulnerabilities to Infect Devices
Since its first documentation in 2018, malware-driven attack campaigns have consistently targeted known security vulnerabilities, particularly those found in Web applications.
The most recent exploit to emerge is CVE-2023-33246, a critical flaw impacting Apache RocketMQ. This vulnerability enables remote, unauthenticated attackers to execute arbitrary code by manipulating RocketMQ protocol content or exploiting the update configuration feature.
After exploiting this vulnerability to gain initial access, threat actors execute a shell script hosted on a remote IP address. This script is responsible for fetching the Muhstik binary ('pty3') from a separate server.
Avoiding Detection to Deliver Its Harmful Payload
Once the attacker exploits the RocketMQ vulnerability to upload their harmful payload, they gain the ability to execute their harmful code, leading to the download of the Muhstik malware.
To maintain persistence on the compromised host, the malware binary is copied to various directories, and modifications are made to the /etc/inittab file, responsible for managing Linux server boot processes, ensuring the unsafe process restarts automatically.
Moreover, the malware binary is named 'pty3' in an attempt to appear as a pseudoterminal ('pty') and evade detection. Another evasion tactic involves copying the malware to directories like /dev/shm, /var/tmp, /run/lock, and /run during persistence, enabling direct execution from memory and preventing traces on the system.
Attackers may Exploit the Infected Devices in Numerous Ways
Muhstik is equipped with capabilities to gather system metadata, move laterally across devices via Secure Shell (SSH), and establish communication with a Command-and-Control (C2) domain using the Internet Relay Chat (IRC) protocol.
The ultimate aim of this malware is to enlist compromised devices in various flooding attacks against specific targets, effectively inundating their network resources and causing denial-of-service disruptions.
Despite more than a year since the public disclosure of the flaw, there are still 5,216 instances of Apache RocketMQ exposed on the internet. It's crucial for organizations to update to the latest version to mitigate potential threats.
Furthermore, previous campaigns have shown cryptomining activity occurring post-Muhstik malware execution. These activities complement each other as attackers seek to proliferate and infect more machines, aiding in their cryptocurrency mining endeavors by utilizing the computational power of compromised devices.
