Mushtik Botnet Threat Intel Advisory

Summary

CloudSEK Threat Intelligence Advisory on Mushtik botnet, targets IoT devices, cloud systems to mine cryptocurrencies, exploits existing flaws
Type Advisory
Malware Botnet
Target IoT/Cloud
TLP     Green Bubble
[/vc_column_text][vc_column_text]Mushtik targets IoT devices and cloud systems to mine cryptocurrency. It has the ability to exploit existing vulnerabilities in web applications as an initial vector of compromise.

Infrastructure

Primary method of propagation is via home routers such as GPON home router/ DD-WRT router/ Tomato router. Mushtik uses IRC servers for Command & Control (C2) to send instructions to the compromised systems. Botnet abuses the following vulnerabilities to compromise web systems:
  • Oracle WebLogic Server bugs (CVE-2019-2725 and CVE-2017-10271)
  • Drupal RCE flaw (CVE-2018-7600)
Mushtik operates in multiple stages, downloading encrypted payload from C2. The payload will start installing XMRing and scanning modules to target systems including servers/ workstations and routers. It uses Mirai code to encrypt the configurations of its payload and scanning modules.

Impact

Technical Impact
  • User data could be at risk.
  • Cryptomining is a resource intensive operation consuming computational power of target information systems.
  • Once the attacker hijacks the router, they also take control of the user traffic.
Business Impact 
  • Security incidents lead to business loss mainly of revenue and reputation.
  • Botnet compromise and the consecutive heavy resource utilization of crypto mining processes limit users accessibility to services provided by information systems.
  • Challenges the overall security posture of the business affecting client relationships.
  • Adverse impact on the confidentiality and integrity of data associated with an organization.
 

Mitigations 

  • Effective vulnerability management of both hardware and software
  • Updated EDR/ XDR solutions to detect anomalies on the host system
  • IDPS solutions to thwart the possibility of an attack 
 

Indicators of Compromise

SHA256
67ec16c046c743817e1c868c954546ad101b39da0070fca2c20d098c9600017a b5aaf4bba61cf90e474853c69c41f9d68438bb9283441df3e7e903508718827d 50b7343f39e4b2310d90368a46a923bd1d3614bec073aacae2af68056f94e4f3 571a5f99013d623a58bb73d5bf0aeae4672a2149925ee143409ffc9a89a46f41 96867f503d65c564b146e8961dffae1f90962ba171dd0a5f856ed3f648cb7f4c f5051906fc019e6c8df2d90ff30728440a377d9bd4135f7a7897ef8a17d219ce 2b671550e69dda3d959f32d7cdfc25c373e1fb04a477c330db6cfb1f717d6f7c 767cc42e1b6cc082bd41eecdb2743173d69ac5e8e02f5b63fa104e3c19d90345 9755bd9aed8de748ed8a1d9ed49e116a0ed2a293252007fc8d96aab8f60306e0 86155c8609a08794a6132d00bfa9ddc02f7cee71fa35c75520b7e8e46d2608c3 c41cdc9a55a562439ffc691470735a1d946af479c2298d8588a3756560247b57 a6746efce9d0f5f9f9387a302d712f69165874ee651e941281b5246b30cfec30 79e1e75ec521a41910339bfa0721ca264c5c6c5678c95564b9f974c6b23879a8 e621e8cb3acc6e562ae3fc7a024874ca5379417cc422f91ede0307ea29eaf5e7 fd320e51d52210ebcc2dfb3c55b6f6c821cc783041490fd158b6e3387ae815b1 e601510d4ebe347a384128c12437465cc26c7d9b817f6e8a12a5b8389ef8af0d e787275ef77347d71d93b6da6e4005558de051450802df22af3e9ac1f626bfb3 5ca41537c20a54dc23d45b6420b2315233f4fc94b867056daf2197028a30904a ca42237354f76bd8aebb97635887c286cddc8d3b6cca2581fa228acf335b3a8c 7d9f78570588b402679b1c7c52f75b340b1fee5628c526c9cd8b3b3893d9c87c 7ddfa177d63ef3fae731a23c980e0b9781c7d4583c6836ead1c0f50705d991b1 74e04206acdb95571a7c0c3a886da3f348f488be524340affe16f866f48018c3 661fd9300afd847a3bfbfbb194ca9f0c98a6067beb84b736d6c708b4f02817e0 131d94da3fd3c2d26bea06c05e31d06cd963b2c331787896136151621350fb05 c74e6f343fc505edae4178ad4f7ca9b374f8279efe081f2a5e08f8e57640bcd2 28b1ed21267a7234cb9346005d27272b83c54c86d8117e0f6162018cde5f9d51 6291ba4eec816171387f656776ea873a3a82dd2b262d65c33a570063e9f55c8c eb2433bf487a405b631464430f9ba5f02d95f7d63a59dd288a3db9d2d0611373 9b487ca085de198d248a7213b124c424ea763503251fb5d1609cde92ec1f07d5 36c4e36f4d62655c2c57996d6dfca92b69d15feb5d3a069812acadd5dd9331bf 72db2dbe4e8e677dbe798f799029431e16eb839accf93241e5f3e3b532faa362 ea0c8d5ac7e0718fc708f2534d06ad4769e9ff4bc4c85c706b06646b65589929 7e847c756fa41ac176a8fe3e9931771e763e0d90daf0544bd372194ad1485e2a d358069cb92040d6920211cd9ff490d87ed30b4364da879249c401364e0884f0 6bb0fd797062c7223079d7683bc485338f3638b61601926b5f276b670148a208 e99fc98c9ec0c1c95ddbe47c6286f8e07c5c0382693cd9f5f88771865b16802e f452d6c9337cd60d0d0b39b6fcdc3b2ad80948a65c73148d52644dbfbdf40218 13bcf15acbf45759342cd62e2e112dd0c46acf9a14af7784dda17f5ee6fc749b 208a4dbb241ea08155aa09224a10c5cff7196b5e3c5233a5a7c8cea05cf7471f 90196eb20e671dc92eb020656bdece51db8f6330a7cb09b56f14b71ddbbc8b1f 4f3f373129b7349915f34994229215f1bb91b1bc9e4606f84fdb566793a3ad25 f2cc3da47c8521688b0f33343804342af6f606b66ab8b572c7398cf06dfc4fef 9d2dd22438e08ce18014219914dfc8fe9f0a09cd65211d51d83858603b8bc8be 16438cef05848decf805e4c6732c8a976fbc96e1e421288cf4e22766d84b9583 dae0657cf0d23374d3212399f245b85314cc8b5633087ae42322b4ee49cfa043 9ae309db0fe53092e67bea17d37a6137bcca70e9c4c31491f15e493ebca3d1c7 29f6d8954e676d9260e308a1bc756edb1063cfa72fd6bfedd5f4fb10ba162043
IP/Domains
138.68.66.69 http://167.99.39.134/.x/pty2 http://167.99.39.134/.x/pty1 http://169.62.195.235/wp-content/themes/.w/wx 167.99.39.134 http://138.68.66.69/.p/wx 169.62.195.235
IP
de-zahlung.eu deutschland-zahlung.net deutschland-zahlung.eu shadow-mods.net http://138.197.99.34/.x/pty9 138.197.99.34 http://159.89.156.190/.y/qi586 159.89.156.190 http://138.197.99.34/.x/pty10 http://159.89.156.190/.y/qx86 http://167.99.68.44/.x/pty8 167.99.68.44

Table of Contents

Request an easy and customized demo for free