Muhstik Botnet Detection: Infamous Gang Resurfaces with New Behavior Attacking Redis Servers

[post-views]
March 29, 2022 · 3 min read

The Muhstik botnet has been around since 2018, continuously expanding the map of its victims, hitting new services and platforms, and diversifying its range of attacks, including coin mining activities, staging DDoS attacks, or exploiting the infamous vulnerabilities in the Log4j Java library. This time, the notorious malware gang has been actively exploiting a Lua sandbox escape vulnerability in Redis, tracked as CVE-2022-0543.

Detect Muhstik Botnet Attacks

Detect whether your system was compromised by Muhstic adversaries with the following rule provided by our top-tier Threat Bounty developer Emir Erdogan. The rule detects downloading and execution attempts of Muhstik botnet via process creation logs:

Muhstik Botnet Targets Redis Servers (via process_creation)

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Microsoft Defender ATP, Apache Kafka ksqlDB, and Open Distro.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Resource Development and Command and Control tactics with Acquire Infrastructure (T1583) and Ingress Tool Transfer (T1105) as the main techniques.

Press View All button to check the full list of detections associated with the Muhstik gang and available in the Threat Detection Marketplace repository of the SOC Prime’s platform.

Eager to connect with the industry leaders and develop your own content? Join SOC Prime’s crowdsourced initiative as a content contributor and share your own Sigma and YARA rules with the global cybersecurity community while strengthening collaborative cyber defense worldwide.

View Detections Join Threat Bounty

Muhstik Botnet Analysis

Muhstik gang is leveraging the new Redis sandbox escape flaw, affecting users who run Redis on Debian, Ubuntu, and other Debian-based distros. The vulnerability in question was spotted last month, tracked as CVE-2022-0543, and rated 10 out of 10 for severity. The patch is available in Redis package version 5.6.0.16.-1.

Clients give commands to a Redis server over a socket, and the server responds by changing its state. Redis’ scripting engine is in the Lua programming language, which can be accessed using the eval command. The Lua engine should be sandboxed, which means that clients should be able to communicate with Redis APIs from Lua but not be able to run arbitrary code on the computer where Redis is operating. The CVE-2022-0543 flaw enables adversaries to run arbitrary Lua scripts and escape the Lua sandbox to perform remote code execution on the target host. Then Muhstik hackers fetch a malicious shell script “russia.sh” from a remote server, which will further download and execute botnet binaries (variants of Muhstik bot) from another server.

Join SOC Prime’s Detection as Code platform to leverage the power of a collaborative defense approach and reap recurring rewards. Additionally, in the light of the Russian invasion of Ukraine and the rising number of state-sponsored cyber-attacks traced back to Russia, SOC Prime has unlocked a large collection of free Sigma rules available in our Detection as Code platform. The rules help cyber defense practitioners to detect the malicious activity of Russia-backed APT organizations, covering the most common tactics, techniques, and procedures (TTPs) of the affiliated adversaries.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts