Muhstik is a variant of the Tsunami botnet used in campaigns exploiting CVE-2018-7600. Muhstik retains the original DDoS functionality from Tsunami and adds the ability to create reverse shells and propagate via SSH. Muhstik is being used to implant the XMRig miner program.
- The compromised server connects to the attacker IRC server and sends the IRC command to join a channel named #muhstik.
- The attacker uses IRC private messages to send commands to the compromised server.
- The compromised server replies with IRC notice messages to signify the starting and completion of actions.
The attacker must have exploited some other entry vector to allow the malicious files to become resident on the victim machine.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
The attacker must have exploited some other entry vector to allow the malicious files to become resident on the victim machine. Ensure that all software on internet-facing hosts is up to date.