Exploitation of Apache RocketMQ Vulnerability by Muhstik Botnet to Extend DDoS Assaults
The DDoS botnet, recognized as Muhstik, has been detected using a recently fixed security flaw affecting Apache RocketMQ to hijack vulnerable servers and grow its reach.
“Muhstik is a widely acknowledged menace aimed at Internet of Things (IoT) devices and servers running on Linux, infamous for its capacity to corrupt devices to engage in cryptocurrency mining and execute Distributed Denial of Service (DDoS) attacks,” stated Cloud security company Aqua in a report released this week.
Originally identified in 2018, attacks linked to the malware have a track record of using known security vulnerabilities, particularly those related to web applications, for dissemination.
The most recent vulnerability exploited is CVE-2023-33246 (CVSS score: 9.8), a vital security flaw impacting Apache RocketMQ, enabling a remote and unauthorized attacker to execute remote code by falsifying the RocketMQ protocol content or leveraging the update configuration function.
Once the security weakness is successfully utilized to secure initial access, the attacker moves forward to execute a shell script saved on a distant IP address, responsible for retrieving the Muhstik binary (“pty3”) from another server.
“Having gained the capability to install the malicious payload by exploiting the RocketMQ vulnerability, the attacker gains the ability to run their harmful code, which downloads the Muhstik malware,” detailed security researcher Nitzan Yaakov.
Sustained presence on the host is established by copying the malware binary to multiple directories and modifying the /etc/inittab file — which oversees which processes to launch during the booting of a Linux server — to automatically restart the process.
Furthermore, the labeling of the binary as “pty3” is likely an effort to appear as a pseudoterminal (“pty“) and evade detection. Another evasion method is placing the malware in directories like /dev/shm, /var/tmp, /run/lock, and /run during the persistence phase, enabling it to execute directly from memory and avoid leaving traces on the system.
Muhstik is furnished with functionalities for accumulating system metadata, moving laterally to other devices through secure shell (SSH), and eventually connecting with a command-and-control (C2) domain to obtain further instructions using the Internet Relay Chat (IRC) protocol.
The ultimate objective of the malware is to weaponize the compromised devices for carrying out various forms of flooding attacks against specific targets, effectively overpowering their network resources and triggering a denial-of-service scenario.
With 5,216 susceptible instances of Apache RocketMQ still accessible online over a year since the security flaw was publicly disclosed, it’s crucial for organizations to upgrade to the most recent version to minimize potential risks.
“Furthermore, in previous campaigns, cryptomining operations were identified following the execution of the Muhstik malware,” Yaakov remarked. “These goals are intertwined, as the attackers aim to disseminate and infect more machines, aiding in their objective to mine additional cryptocurrency through the power resources of the compromised machines.”
The disclosure coincides with the AhnLab Security Intelligence Center (ASEC) disclosing that inadequately protected MS-SQL servers are being targeted by threat actors with a variety of malware, ranging from ransomware and remote access trojans to Proxyware.
“Administrators should use complex passwords for their accounts that are challenging to guess and update them regularly to safeguard the database server from brute-force attacks and dictionary attacks,” ASEC advised. “They should also apply the latest patches to prevent vulnerability exploitation.”
About Author
