Researchers with Lacework have published new findings on Muhstik, the long-active botnet currently employing several web application exploits to mine cryptocurrency and target Oracle WebLogic and Drupal. The botnet is monetized via XMRig, cgmining and with DDoS attack services.
Lacework researchers note: “Muhstik leverages IRC for its command and control and has consistently used the same infrastructure since its inception. The primary method of propagation for IoT devices is via home routers however there are multiple attempted exploits for Linux server propagation. Targeted routers include GPON home router, DD-WRT router, and the Tomato router… (its activities are) tied to cryptomining and Linux backdoors.
Lacework\\\\\\\’s analysis of the Muhstik botnet is interesting on several levels, especially in its command and control infrastructure. Internet Relay Chat (IRC) has been largely forgotten in this day of myriad web and application based chat options, but was once the method of choice for botnet control. The Muhstik authors have gone old school here, while targeting IoT devices, cloud servers, and home routers.
The fact that this botnet has remained in operation for over two years shows how hard it can be to effectively contain and eradicate these threats. Fortunately, it is relatively easy to identify and disrupt this botnet\\\\\\\’s C2 traffic. Simple firewall rules can stop traffic to identified C2 nodes, while security analytics can easily detect the behaviors associated with an infected host or the botnet\\\\\\\’s spread.