NewsSecurity Vulnerabilities

Muhstik Botnet

Duncan 2762 Views 0 Comments 1 min read

Muhstik is a botnet that uses compromised websites to launch distributed denial-of-service (DDoS) attacks and install cryptocurrency mining malware.

The threat actors are currently targeting and exploiting websites running vulnerable versions of the Drupal content management system. Over one million websites are potentially affected if left unpatched.

The Muhstik botnet exploits Drupal vulnerability (CVE-2018-7600), impacting versions 6,7, and 8 of Drupal’s CMS platform. “This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,” warned MITRE’s Common Vulnerabilities and Exposures bulletin on March 28.

When a server has been compromised, Muhstik downloads a scanning module and attempts to find other vulnerable hosts. It uploads any potential targets to Command and Control servers, which use Internet Relay Chat to issue commands.

Compromised servers are used to launch DDoS attacks and to mine the Bitcoin and Monero cryptocurrencies.



Muhstik is a variant of the Tsunami botnet. Its features include:

  • Worm Propagation
  • Persistence
  • Xmrig to mine XMR cryptocurrency coins with a self-built mining pool
  • Cgminer to mine BTC cryptocurrency coins, using multiple mining pools, all with username reb0rn.D3
  • DDoS capability to attack networks at the owner’s command
  • Vulnerability scanner that utilizes 7 exploits to spread muhstick to other vulnerable servers
  • SSH Brute force scanning for gaining access to servers with weak passwords
  • IRC based Command and Control with 11 hard-coded URLs for communication

Hosts To Block

46.243.189.102
47.135.208.145:4871
dash.viabtc.com ( Muhstik cgminer wallet and mining pool address )
139.99.101.96 AS16276 OVH SAS
144.217.84.99 AS16276 OVH SAS
145.239.84.0 AS16276 OVH SAS
147.135.210.184 AS16276 OVH SAS
142.44.163.168 AS16276 OVH SAS
192.99.71.250 AS16276 OVH SAS
142.44.240.14 AS16276 OVH SAS
121.128.171.44 AS4766 Korea Telecom #Not active now
66.70.190.236 AS16276 OVH SAS #Not active now
145.239.93.125 AS16276 OVH SAS
irc.de-zahlung.eu:9090 #Not active now
http://51.254.221.129/c/cron
http://51.254.221.129/c/tfti
http://51.254.221.129/c/pftp
http://51.254.221.129/c/ntpd
http://51.254.221.129/c/sshd
http://51.254.221.129/c/bash
http://51.254.221.129/c/pty
http://51.254.221.129/c/shy
http://51.254.221.129/c/nsshtfti
http://51.254.221.129/c/nsshcron
http://51.254.221.129/c/nsshpftp
http://51.254.221.129/c/fbsd
http://191.238.234.227/x/aiox86
47.135.208.145
dasan.deutschland-zahlung.eu
134.ip-51-254-219.eu
uranus.kei.su
wireless.kei.su
www.kei.suy.fd6fq54s6df541q23sdxfg.eu

Affected Platforms

  • Drupal – All versions prior to 8.5.1/8.4.6/8.3.9/7.58
  • ClipBucket, DasanNetwork Solution, Oracle WebLogic Server, WebDAV, Webuzo, WordPress





Duncan

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.