Muhstik launched a new campaign targeting Apache RocketMQ by exploiting a remote code execution vulnerability to drop and run the malware on vulnerable instances. The activity includes persistence, command-and-control over IRC, and potential cryptomining or DDoS behavior, demonstrated across numerous RocketMQ deployments worldwide. #Muhstik #RocketMQ #CVE-2023-33246 #AquaNautilus
Keypoints
- A new Muhstik campaign targets the Apache RocketMQ platform by exploiting CVE-2023-33246.
- Attackers exploit the RocketMQ vulnerability to download and install Muhstik on compromised instances.
- The campaign is analyzed through an attack flow that includes Initial Access, Execution, Persistence, Discovery, Lateral Movement, and C2.
- Muhstik is a Kaiten family member historically used for DDoS and cryptomining, now repurposed to propagate via RocketMQ exploits.
- Payload delivery uses a multi-script approach (the 3sh shell script) to fetch architecture-specific binaries from a remote server.
- The malware uses memory-based execution and multiple persistence and evasion techniques, including inittab-based respawn and packed binaries.
- Discovery and lateral movement include uname for system info, checks for strace/tcpdump, and SSH service scanning to move laterally.
- C2 channels include DNS lookups to a malicious domain and IRC-based command-and-control, with numerous attacker IPs observed.
- Shodan estimates show 5,216 vulnerable RocketMQ instances worldwide, underscoring exposure risk and the need for patching.
MITRE Techniques
- [T1190] Exploit Public-Facing Application β Exploit RocketMQ vulnerability to gain initial access and download Muhstik. Quote: ββ¦the attackers proceeded to download the Muhstik malware onto the compromised instances by exploiting a known vulnerability in the platform.β
- [T1105] Ingress Tool Transfer β Download Muhstik payloads via a remote server using curl/wget. Quote: βthe shell script contains the download of several binaries from the same remote server using the curl command.β
- [T1059.004] Unix Shell β Execute commands via the shell (CallShell) to fetch and run payloads. Quote: βAs seen in Figure 4, the shell command β¦ this execution downloads the 3sh shell script.β
- [T1543.003] Create or Modify System Process: Init β Persist by modifying init process behavior (respawn pty3 across directories). Quote: βThe attackers used the respawn command to instruct the init process to automatically restart the pty3 process in each directory it was copied to.β
- [T1027] Obfuscated/Compressed Files and Information β Use packed/morphed binaries and legitimate-looking names to avoid detection. Quote: βthe Muhstik malware, downloaded as pty3, is detected as packed softwareβ¦ attackers provided the file with the seemingly legitimate name.β
- [T1082] System Information Discovery β Gather system details with uname. Quote: βThe attackers queried the machine for details using the uname command to retrieve system information.β
- [T1057] Process Discovery β Check for running tools like strace and tcpdump via pidof. Quote: βIt uses the pidof command to check if there is a running process of one of these tools.β
- [T1021.001] SSH β Lateral Movement via SSH by scanning for SSH services and attempting authentication. Quote: βThe malware has the ability to perform scanning for SSH services and also indicates attempts to authenticate and potentially gain access to other machines over SSH.β
- [T1071.004] DNS β DNS-based C2 with a malicious domain. Quote: βit performs a DNS request towards a malicious domain β βp.de-zahlung.euβ, which resolved to the IP address 51.79.19.53.β
- [T1095] Non-Application Layer Protocol β IRC-based C2 channel. Quote: βthis server is used as a command-and-control server, where the attacker maintains communication with our compromised machine over the IRC protocol.β
- [T1036] Masquerading β Use a legitimate-sounding file name to evade detection. Quote: βThe attackers provided the file with the seemingly legitimate name, which is supposed to evade detection.β
Indicators of Compromise
- [IP Address] Attacker IPs β 94.224.82.40, 51.79.19.53, and 2 more IPs
- [Domain] IRC/Command-and-Control β p.de-zahlung.eu, p.shadow-mods.net, and 2 more domains
- [SHA256] Muhstik binaries β 9e28f942262805b5fb59f46568fed53fd4b7dbf6faf666bedaf6ff22dd416572, 1f9cda58cea6c8dd07879df3e985499b18523747482e8f7acd6b4b3a82116957, and 4 more hashes
Read more: https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications