Request a Demo
Rewterz
Rewterz Threat Alert – Remcos RAT – Active IOCs
March 29, 2022
Rewterz
Rewterz Threat Alert – Cobalt Strike Malware – Active IOCs
March 29, 2022

Rewterz Threat Alert – Muhstik Botnet – Active IOCs

Severity

Medium

Analysis Summary

Muhstik malware has been around since 2017, and we assume that it is based on a fork of the Mirai code and is currently affecting the cloud by way of several web application exploits. The botnet is monetized via crypto mining and with DDoS attack services. It targets a wide variety of web applications, including WordPress, Drupal, and WebDAV, Oracle’s WebLogic application server, as well an assortment of Internet-of-Things (IoT) and Small Office/Home Office (SOHO) devices. Muhstik uses its botnet to mount sizable distributed denial-of-service (DDoS) attacks, but it will also install several cryptocurrency miners on affected systems. 

CVE-2022-0543 – Severity High

Redis could allow a local attacker to execute arbitrary code on the system, caused by a packaging issue leading to a Lua sandbox escape. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Impact

  • Cryptocurrency Mining
  • DDoS

Indicators of Compromise

IP

  • 106[.]246[.]224[.]219
  • 160[.]16[.]58[.]163
  • 104[.]236[.]150[.]159
  • 170[.]210[.]45[.]163
  • 146[.]185[.]136[.]187
  • 178[.]62[.]69[.]4
  • 191[.]232[.]38[.]25
  • 79[.]172[.]212[.]132
  • 221[.]120[.]103[.]253

MD5

  • 4aa80ec9c4af1849fb3f0c82cf82c99b
  • 0abc01de8962867957bca89f6bd4c10e
  • 97717ad2ff60ac257a5f66634fe06544
  • 582a434ba0f2e04bd8b5495c50320068
  • 60f50372901a3ab6be093cb9922fd75c
  • 6865d47eeb5b85d949bdf5bd1ba27ac0
  • 6255cea06cb5c8ac346fc39105cf9ab7

SHA-256

  • 4817893f8e724cbc5186e17f46d316223b7683dcbc9643e364b5913f8d2a9197
  • 46389c117c5f41b60e10f965b3674b3b77189b504b0aeb5c2da67adf55a7129f
  • 95d1fca8bea30d9629fdf05e6ba0fc6195eb0a86f99ea021b17cb8823db9d78b
  • 7d3855bb09f2f6111d6c71e06e1e6b06dd47b1dade49af0235b220966c2f5be3
  • 16b4093813e2923e9ee70b888f0d50f972ac607253b00f25e4be44993d263bd2
  • 28443c0a9bfd8a12c12a2aad3cc97d2e8998a9d8825fcf3643d46012f18713f0
  • 36a2ac597030f3f3425153f5933adc3ca62259c35f687fde5587b8f5466d7d54

SHA-1

  • 0a2ad5795cbafb1f2962c27ce0fe657704d146ee
  • a7b49698f0562b887d1c5b96272b50e9e13cba80
  • 9845039ea2423177944fb7666595002891ca28e3
  • b3888d650646aa63423765e686a14ddc82ee52be
  • 03fabbbc736a5c59b889e3675331c96263d4a4a6
  • 8106f4cb86dcc2bd0c806889f8a8589b758b17ff
  • 5fcceec2fe69820a6c2c51aa72f9322197c3ab50

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.

Update to the patched Versions of Redis here.