Cloud Threat Advisory: Muhstik Botnet Strikes Again

Muhstik is a threat family that the Blue Hexagon Threat Labs has been following closely for the past several months as we are seeing a spike in cloud-based services being targeted. We have seen this threat group focus on the distribution and mining of digital cryptocurrencies, but their real source of income is “DDoS-for-hire” (Targeting services from Amazon, Azure and Alibaba cloud)

Their approach is simple: 

Step1 – Infect IoT devices: once they have an army of compromised devices that they control

Step2 – Target cloud-based infrastructure and  services as well as websites and web applications

Muhstik has been exploiting vulnerabilities in web applications such as CVE-2019-2725 and CVE-2017-10271 in Oracle WebLogic and CVE-2018-7600 in Drupal. Since the malware targets Linux servers, it can gain a foothold in both IoT devices as well as public cloud servers.

Blue Hexagon Threat Analysis

Blue Hexagon has discovered a new campaign associated with Muhstik, a threat family that was previously associated with targeting cloud services. The threat is targeting Linux-based services and devices.

When this threat was first seen on VirusTotal less than 30% of the security vendors had detected it as malicious:

Low VirusTotal detection rate on Day 0

File Details :

File Type:ELF 32-bit 
6370939d4ff51b934b7a2674ee7307ed06111ab3b896a8847d16107558f58e5bLSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.26 stripped

Dynamic Analysis :

This part of the analysis is based on Memory Diff Analysis against clean and infected memory images using Volatility Framework. Once executed, the malware starts another process with the new name “v4lbtmhals36tl8 ”.

The ELF file listens locally on port 59000/TCP and establishes connections to IP address “” on port 8080 using IRC Protocol.

The malware IRC communication Protocol clearly shows a “muhstik” Bot variant .

SSH activities on range “132.” seen after the bot command to start SSH scanning  . 

Static Analysis :

Inspecting the file shows that the ELF file is packed with UPX packers without having the UPX headers . This technique is used by the attacker to avoid unpacking the file easily.

Fixing the UPX header within the file tools 3 steps to be able to unpack the ELF easily :

  • Modify the UPX header at file offset 0x00000078 from 0A000000 to 55505821
  • Remove 13 bytes from file offset 0x000C3B97.
  • Add 55505821 in place of the 13 removed bytes at file offset 0x000C3B97

The file can easily be unpack using the upx tool .

Unpacked File details :

File Type:ELF 32-bit 
cd893683e4a44f048da81ea6be8b1532904a287a1f333e4d3091759302178f26LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.26 stripped

The list of commands accepted from the Command and Control server :

  • flooding attacks
  • download files to the infected machine
  • SSH brute forcing
  • shell commands
  • IRC commands

Also, the malware  checks if only one instance is running in the target host by checking the lock file “.bawtz” in set of directories :

  • /dev/shm/
  • /var/tmp/
  • /var/lock/
  • /var/run/
  • /var/run/
  • /tmp/

The malware creates crontab entries to persist in the machine .

crontab -l | grep %s | grep -v \”no cron\” || (crontab -l ; echo \”* * * * * %s > /dev/null 2>&1 &\”) | crontab –

The bot has the capability of performing SSH login brute force attacks using wordlist to attack default login

After a successful SSH login attempt the instruction below will be executed using HTTP URL and TFTP by C&C via IRC probably to download additional files .

Detection with Blue Hexagon Agentless Runtime AI Security

Known/Unknown Malware: Blue Hexagon Deep Learning platform proactively detected the ELF file associated with this threat with models that were created months before the threat was created. This is because deep learning models can uncover patterns of malintent expressed in malicious code and are an order of magnitude better at detecting new malware compared to traditional threat analysis. 

Command and Control: Blue Hexagon Agentless Cloud Security provides full visibility into network activity and can identify unusual connections like those happening over IRC. An agentless deployment approach makes sure that all connections are being analyzed without requiring the deployment of agents on Linux servers.

Unauthorized Activity: Blue Hexagon provides detection of brute force attacks over SSH and unusual scanning activity.

Indicators of Compromise


6370939d4ff51b934b7a2674ee7307ed06111ab3b896a8847d16107558f58e5b (Packed)

cd893683e4a44f048da81ea6be8b1532904a287a1f333e4d3091759302178f26 (Unpacked)

IP Address:

Questions? How to Contact Blue Hexagon Threat Experts

If you have any questions or need assistance to determine whether your current security controls can surface the attack and IoCs described above and how to bolster your security stack, please contact Blue Hexagon Security Experts by email at  or online at and let us know how we can help and get in touch with you.

PS: You may like to bookmark this blog post for future reference as we continue to add further research on this attack.

Additional Resources:

You may like to also read related threat advisories and research:

Threat Advisory: Microsoft Exchange Server including CVE-2021-24085, 26855, 26857, 26858, and 27065

Threat Advisory: New PoC exploit for Exchange SSRF CVE-2021-26855

Ransomware Families and Variants are in Abundance