Muhstik is a threat family that the Blue Hexagon Threat Labs has been following closely for the past several months as we are seeing a spike in cloud-based services being targeted. We have seen this threat group focus on the distribution and mining of digital cryptocurrencies, but their real source of income is “DDoS-for-hire” (Targeting services from Amazon, Azure and Alibaba cloud)
Their approach is simple:
Step1 – Infect IoT devices: once they have an army of compromised devices that they control
Step2 – Target cloud-based infrastructure and services as well as websites and web applications
Muhstik has been exploiting vulnerabilities in web applications such as CVE-2019-2725 and CVE-2017-10271 in Oracle WebLogic and CVE-2018-7600 in Drupal. Since the malware targets Linux servers, it can gain a foothold in both IoT devices as well as public cloud servers.
Blue Hexagon Threat Analysis
Blue Hexagon has discovered a new campaign associated with Muhstik, a threat family that was previously associated with targeting cloud services. The threat is targeting Linux-based services and devices.
When this threat was first seen on VirusTotal less than 30% of the security vendors had detected it as malicious:
File Details :
|File Type:||ELF 32-bit|
|6370939d4ff51b934b7a2674ee7307ed06111ab3b896a8847d16107558f58e5b||LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.26 stripped|
Dynamic Analysis :
This part of the analysis is based on Memory Diff Analysis against clean and infected memory images using Volatility Framework. Once executed, the malware starts another process with the new name “v4lbtmhals36tl8 ”.
The ELF file listens locally on port 59000/TCP and establishes connections to IP address “22.214.171.124” on port 8080 using IRC Protocol.
The malware IRC communication Protocol clearly shows a “muhstik” Bot variant .
SSH activities on range “132.” seen after the bot command to start SSH scanning .
Static Analysis :
Inspecting the file shows that the ELF file is packed with UPX packers without having the UPX headers . This technique is used by the attacker to avoid unpacking the file easily.
Fixing the UPX header within the file tools 3 steps to be able to unpack the ELF easily :
- Modify the UPX header at file offset 0x00000078 from 0A000000 to 55505821
- Remove 13 bytes from file offset 0x000C3B97.
- Add 55505821 in place of the 13 removed bytes at file offset 0x000C3B97
The file can easily be unpack using the upx tool .
Unpacked File details :
|File Type:||ELF 32-bit|
|cd893683e4a44f048da81ea6be8b1532904a287a1f333e4d3091759302178f26||LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.26 stripped|
The list of commands accepted from the Command and Control server :
- flooding attacks
- download files to the infected machine
- SSH brute forcing
- shell commands
- IRC commands
Also, the malware checks if only one instance is running in the target host by checking the lock file “.bawtz” in set of directories :
The malware creates crontab entries to persist in the machine .
crontab -l | grep %s | grep -v \”no cron\” || (crontab -l ; echo \”* * * * * %s > /dev/null 2>&1 &\”) | crontab –
The bot has the capability of performing SSH login brute force attacks using wordlist to attack default login
After a successful SSH login attempt the instruction below will be executed using HTTP URL and TFTP by C&C via IRC probably to download additional files .
Detection with Blue Hexagon Agentless Runtime AI Security
Known/Unknown Malware: Blue Hexagon Deep Learning platform proactively detected the ELF file associated with this threat with models that were created months before the threat was created. This is because deep learning models can uncover patterns of malintent expressed in malicious code and are an order of magnitude better at detecting new malware compared to traditional threat analysis.
Command and Control: Blue Hexagon Agentless Cloud Security provides full visibility into network activity and can identify unusual connections like those happening over IRC. An agentless deployment approach makes sure that all connections are being analyzed without requiring the deployment of agents on Linux servers.
Unauthorized Activity: Blue Hexagon provides detection of brute force attacks over SSH and unusual scanning activity.
Indicators of Compromise
Questions? How to Contact Blue Hexagon Threat Experts
If you have any questions or need assistance to determine whether your current security controls can surface the attack and IoCs described above and how to bolster your security stack, please contact Blue Hexagon Security Experts by email at firstname.lastname@example.org or online at https://bluehexagon.ai/contact/ and let us know how we can help and get in touch with you.
PS: You may like to bookmark this blog post for future reference as we continue to add further research on this attack.
You may like to also read related threat advisories and research: