Muhstik botnet exploits Apache RocketMQ flaw to expand DDoS attacks

06 June 2024Press releaseBotnet/DDoS attack

The Distributed Denial-of-Service (DDoS) botnet, known as Effort It has been observed that a now fixed vulnerability in Apache RocketMQ was exploited to take over vulnerable servers and expand its scope.

“Muhstik is a known threat targeting IoT devices and Linux-based servers and is notorious for its ability to infect devices and use them to mine cryptocurrencies and launch distributed denial-of-service (DDoS) attacks,” cloud security company Aqua said in a report published this week.

Attack campaigns using this malware were first documented in 2018 and have always exploited known security vulnerabilities to spread, particularly in connection with web applications.

The latest addition to the list of exploited vulnerabilities is CVE-2023-33246 (CVSS score: 9.8), a critical vulnerability in Apache RocketMQ that allows a remote and unauthenticated attacker to execute remote code by spoofing the contents of the RocketMQ protocol or using the configuration update feature.

Once the vulnerability has been successfully exploited to gain initial access, the threat actor executes a shell script hosted on a remote IP address which is then responsible for retrieving the Muhstik binary (“pty3”) from another server.

“After gaining the ability to upload the malicious payload by exploiting the RocketMQ vulnerability, the attacker can execute their malicious code that downloads the Muhstik malware,” said security researcher Nitzan Yaakov.

Persistence on the host is achieved by copying the malware binary into multiple directories and editing the /etc/inittab file – which controls which processes should be started when a Linux server boots – to automatically restart the process.

Furthermore, naming the binary as “pty3” is likely an attempt to disguise itself as a pseudoterminal (“pty”) and thus evade detection. Another evasion technique is that the malware is copied to directories such as /dev/shm, /var/tmp, /run/lock and /run during the persistence phase, which allows it to be executed directly from memory and leaves no trace on the system.

Muhstik is equipped with features to collect system metadata, switch laterally to other devices via a secure shell (SSH), and ultimately connect to a command-and-control (C2) domain to receive further instructions via the Internet Relay Chat (IRC) protocol.

The ultimate goal of the malware is to weaponize the infected devices to execute various types of flooding attacks on relevant targets, effectively overloading their network resources and triggering a denial-of-service condition.

More than a year after the vulnerability was disclosed, 5,216 vulnerable instances of Apache RocketMQ are still available on the Internet, making it imperative for organizations to take steps to update to the latest version to mitigate potential threats.

“In addition, cryptomining activity has been detected in previous campaigns after the Muhstik malware was executed,” Yaakov said. “These goals go hand in hand as the attackers seek to spread and infect more machines, which will help them in their mission to mine more cryptocurrency using the electrical energy of the compromised machines.”

The disclosure comes after AhnLab Security Intelligence Center (ASEC) revealed that poorly secured MS SQL servers are being targeted by threat actors using various types of malware ranging from ransomware and remote access Trojans to proxyware.

“Administrators must use hard-to-guess passwords for their accounts and change them regularly to protect the database server from brute-force and dictionary attacks,” ASEC said. “They must also install the latest patches to prevent vulnerability attacks.”