New scanners and exploits are being added by IoT botnet operators to their ever-expanding arsenal in order to harvest new IoT devices. A popular botnet named Mushtik has been leveraging several web application exploits and targeting cloud infrastructures.
Recently, some additional analysis and observations related to Muhstik’s intrusion infrastructure and possible attribution have been provided by researchers.
- The Muhstik gang has a multi-layered attack strategy involving a payload named pty that helps downloads other malicious components and then contacts IRC servers (the botnet’s C2 infrastructure) to receive commands.
- To encrypt the configurations of its payload and scanning module, the gang has been using the XMRmrig miner and scanning modules to target other Linux servers and home routers, along with Mirai source code.
- Home routers such as GPON home router, DD-WRT router, and Tomato router are used as its primary method of propagation.
- Muhstik has actively exploited web application exploits in Oracle WebLogic Server bugs (CVE-2019-2725 and CVE-2017-10271) and Drupal RCE flaw (CVE-2018-7600).
The botnet has been linked to a firm based in China called, Shen Zhou Wang Yun Information Technology Co., Ltd. A Google Analytics ID and references to anime character ‘Jay’ from a game at Jaygame.net are included in Muhstik malware and infrastructure.
Botnet attacks on IoT devices in recent times
- With the capabilities to wipe all data from infected systems, such as routers, servers, and IoT devices, a botnet named HEH was being distributed last month.
- A new variant of the Interplanetary storm malware was released by its operators to target IoT devices located in 84 different countries around the world.
Our internal experts suggest users observe caution while installing open-source firmware and be attentive to security updates and patches to safeguard the device. Additionally, regular scans and instant patches for vulnerabilities are advisable.
To read more, please check eScan Blog