Threat Research

Muhstik Gang targets Redis Servers | Official Juniper Networks Blogs

Securonix

Juniper Threat Labs uncovered a Muhstik-bot variant that targets Redis Servers via CVE-2022-0543 in Redis Debian packages, enabling code execution through Lua sandboxing. The campaign ties Muhstik activity to prior Confluence and Log4j attacks, deploying a downloader that retrieves Muhstik binaries and hands control over to an IRC-based command-and-control channel. #Muhstik #CVE-2022-0543 #Redis #Debian #JuniperThreatLabs

Keypoints

  • Muhstik variant specifically targets Redis servers using CVE-2022-0543 in Debian packages to achieve remote code execution.
  • The activity began on March 11, 2022 and is linked to the same actor observed targeting Confluence servers (Sept 2021) and Log4j (Dec 2021).
  • A proof-of-concept demonstrates exploiting the Redis Lua sandbox via Lua code execution, including reading /etc/passwd.
  • The attack chain downloads and executes Muhstik payloads that can perform DDoS and other malicious actions.
  • The malware uses a downloader (russia.sh) downloaded from a remote host and then fetches binaries from another server to expand its capabilities.
  • Command and control is established over IRC to receive commands such as file downloads, shell commands, flood attacks, and SSH brute-force attempts.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – The vulnerability exists in Redis Debian packages and is exploited to run code via Redis and Lua; “This vulnerability exists in some Redis Debian packages.” and “The following is a proof of concept on how to exploit this vulnerability.”
  • [T1059.005] Command and Scripting Interpreter: Lua – The Lua engine is used to execute commands via a sandboxed environment; PoC uses “package.loadlib” and “io.popen” to read files like “/etc/passwd” and execute commands.
  • [T1105] Ingress Tool Transfer – The attacker downloads “russia.sh” from 106.246.224.219 and saves it to the host to download and run Muhstik components; 106.246.224.219/russia.sh
  • [T1095] Non-Application Layer Protocol – The Muhstik bot uses an IRC server to receive commands, including: Download files, Shell commands, Flood attacks, SSH brute force
  • [T1110] Brute Force – SSH brute force capability listed by the actor
  • [T1499] Denial of Service – Bot capabilities include flood attacks against targets

Indicators of Compromise

  • [IP] Attack sources – 170.210.45.163, 191.232.38.25, and 79.172.212.132
  • [IP] Additional attacker activity – 104.236.150.159, 146.185.136.187, 178.62.69.4, 221.120.103.253
  • [URL] Download URL – http://106.246.224.219/russia.sh
  • [File hash] 4817893f8e724cbc5186e17f46d316223b7683dcbc9643e364b5913f8d2a9197
  • [File hash] 95d1fca8bea30d9629fdf05e6ba0fc6195eb0a86f99ea021b17cb8823db9d78b
  • [File name] russia.sh

Read more: https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers