Mushtik Botnet Threat Intel Advisory

Published 08 December 2020


  • Mushtik botnet mines cryptocurrencies by targeting IoT devices and cloud systems.
  • Mushtik exploits the vulnerabilities that exist in web apps, thereby, compromising the host.

Share this Threat Intel:

Type Advisory
Malware Botnet
Target IoT/Cloud
TLP     Green Bubble

Mushtik targets IoT devices and cloud systems to mine cryptocurrency. It has the ability to exploit existing vulnerabilities in web applications as an initial vector of compromise.

Infrastructure

Primary method of propagation is via home routers such as GPON home router/ DD-WRT router/ Tomato router. Mushtik uses IRC servers for Command & Control (C2) to send instructions to the compromised systems. Botnet abuses the following vulnerabilities to compromise web systems:

  • Oracle WebLogic Server bugs (CVE-2019-2725 and CVE-2017-10271)
  • Drupal RCE flaw (CVE-2018-7600)

Mushtik operates in multiple stages, downloading encrypted payload from C2. The payload will start installing XMRing and scanning modules to target systems including servers/ workstations and routers. It uses Mirai code to encrypt the configurations of its payload and scanning modules.

Impact

Technical Impact
  • User data could be at risk.
  • Cryptomining is a resource intensive operation consuming computational power of target information systems.
  • Once the attacker hijacks the router, they also take control of the user traffic.
Business Impact 
  • Security incidents lead to business loss mainly of revenue and reputation.
  • Botnet compromise and the consecutive heavy resource utilization of crypto mining processes limit users accessibility to services provided by information systems.
  • Challenges the overall security posture of the business affecting client relationships.
  • Adverse impact on the confidentiality and integrity of data associated with an organization.

 

Mitigations 

  • Effective vulnerability management of both hardware and software
  • Updated EDR/ XDR solutions to detect anomalies on the host system
  • IDPS solutions to thwart the possibility of an attack 

 

Indicators of Compromise

SHA256

67ec16c046c743817e1c868c954546ad101b39da0070fca2c20d098c9600017a

b5aaf4bba61cf90e474853c69c41f9d68438bb9283441df3e7e903508718827d

50b7343f39e4b2310d90368a46a923bd1d3614bec073aacae2af68056f94e4f3

571a5f99013d623a58bb73d5bf0aeae4672a2149925ee143409ffc9a89a46f41

96867f503d65c564b146e8961dffae1f90962ba171dd0a5f856ed3f648cb7f4c

f5051906fc019e6c8df2d90ff30728440a377d9bd4135f7a7897ef8a17d219ce

2b671550e69dda3d959f32d7cdfc25c373e1fb04a477c330db6cfb1f717d6f7c

767cc42e1b6cc082bd41eecdb2743173d69ac5e8e02f5b63fa104e3c19d90345

9755bd9aed8de748ed8a1d9ed49e116a0ed2a293252007fc8d96aab8f60306e0

86155c8609a08794a6132d00bfa9ddc02f7cee71fa35c75520b7e8e46d2608c3

c41cdc9a55a562439ffc691470735a1d946af479c2298d8588a3756560247b57

a6746efce9d0f5f9f9387a302d712f69165874ee651e941281b5246b30cfec30

79e1e75ec521a41910339bfa0721ca264c5c6c5678c95564b9f974c6b23879a8

e621e8cb3acc6e562ae3fc7a024874ca5379417cc422f91ede0307ea29eaf5e7

fd320e51d52210ebcc2dfb3c55b6f6c821cc783041490fd158b6e3387ae815b1

e601510d4ebe347a384128c12437465cc26c7d9b817f6e8a12a5b8389ef8af0d

e787275ef77347d71d93b6da6e4005558de051450802df22af3e9ac1f626bfb3

5ca41537c20a54dc23d45b6420b2315233f4fc94b867056daf2197028a30904a

ca42237354f76bd8aebb97635887c286cddc8d3b6cca2581fa228acf335b3a8c

7d9f78570588b402679b1c7c52f75b340b1fee5628c526c9cd8b3b3893d9c87c

7ddfa177d63ef3fae731a23c980e0b9781c7d4583c6836ead1c0f50705d991b1

74e04206acdb95571a7c0c3a886da3f348f488be524340affe16f866f48018c3

661fd9300afd847a3bfbfbb194ca9f0c98a6067beb84b736d6c708b4f02817e0

131d94da3fd3c2d26bea06c05e31d06cd963b2c331787896136151621350fb05

c74e6f343fc505edae4178ad4f7ca9b374f8279efe081f2a5e08f8e57640bcd2

28b1ed21267a7234cb9346005d27272b83c54c86d8117e0f6162018cde5f9d51

6291ba4eec816171387f656776ea873a3a82dd2b262d65c33a570063e9f55c8c

eb2433bf487a405b631464430f9ba5f02d95f7d63a59dd288a3db9d2d0611373

9b487ca085de198d248a7213b124c424ea763503251fb5d1609cde92ec1f07d5

36c4e36f4d62655c2c57996d6dfca92b69d15feb5d3a069812acadd5dd9331bf

72db2dbe4e8e677dbe798f799029431e16eb839accf93241e5f3e3b532faa362

ea0c8d5ac7e0718fc708f2534d06ad4769e9ff4bc4c85c706b06646b65589929

7e847c756fa41ac176a8fe3e9931771e763e0d90daf0544bd372194ad1485e2a

d358069cb92040d6920211cd9ff490d87ed30b4364da879249c401364e0884f0

6bb0fd797062c7223079d7683bc485338f3638b61601926b5f276b670148a208

e99fc98c9ec0c1c95ddbe47c6286f8e07c5c0382693cd9f5f88771865b16802e

f452d6c9337cd60d0d0b39b6fcdc3b2ad80948a65c73148d52644dbfbdf40218

13bcf15acbf45759342cd62e2e112dd0c46acf9a14af7784dda17f5ee6fc749b

208a4dbb241ea08155aa09224a10c5cff7196b5e3c5233a5a7c8cea05cf7471f

90196eb20e671dc92eb020656bdece51db8f6330a7cb09b56f14b71ddbbc8b1f

4f3f373129b7349915f34994229215f1bb91b1bc9e4606f84fdb566793a3ad25

f2cc3da47c8521688b0f33343804342af6f606b66ab8b572c7398cf06dfc4fef

9d2dd22438e08ce18014219914dfc8fe9f0a09cd65211d51d83858603b8bc8be

16438cef05848decf805e4c6732c8a976fbc96e1e421288cf4e22766d84b9583

dae0657cf0d23374d3212399f245b85314cc8b5633087ae42322b4ee49cfa043

9ae309db0fe53092e67bea17d37a6137bcca70e9c4c31491f15e493ebca3d1c7

29f6d8954e676d9260e308a1bc756edb1063cfa72fd6bfedd5f4fb10ba162043

IP/Domains

138.68.66.69

http://167.99.39.134/.x/pty2

http://167.99.39.134/.x/pty1

http://169.62.195.235/wp-content/themes/.w/wx

167.99.39.134

http://138.68.66.69/.p/wx

169.62.195.235

IP

de-zahlung.eu

deutschland-zahlung.net

deutschland-zahlung.eu

shadow-mods.net

http://138.197.99.34/.x/pty9

138.197.99.34

http://159.89.156.190/.y/qi586

159.89.156.190

http://138.197.99.34/.x/pty10

http://159.89.156.190/.y/qx86

http://167.99.68.44/.x/pty8

167.99.68.44

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.