Public Redis exploit used by malware gang to develop botnet

The Muhstik malware gang is now actively targeting and exploiting a Lua sandbox escape vulnerability in Redis after a proof-of-concept exploit was released.

The vulnerability is identified as CVE-2022-0543 and was discovered in February 2022, affecting both Debian and Ubuntu Linux distributions.

Shortly after, on March 10, a proof-of-concept (PoC) exploit was made public on GitHuballowing malicious actors to remotely execute arbitrary Lua scripts, performing a sandbox escape on the target host.

Although the vulnerability was fixed in the Redis package version, it is common for servers not to be updated immediately due to operational issues or simply because the administrator does not know the new version .

According to a report by Juniper Threat Labsjust a day after the PoC was released, the Muhstik gang began actively exploiting the flaw to remove malware that supports its DDoS (denial of service) operations.

Run commands on a Redis session
Run commands on a Redis session (Juniper)

A long-standing Chinese botnet

The Muhstik botnet is believed to be operated from China, as researchers previously linked its control infrastructure to a Chinese forensic company.

It’s been around since at least 2018, surviving by adaptation, steadily moving to exploit new vulnerabilities consistently to target large numbers of vulnerable devices.

In the past, it targeted Oracle WebLogic Server bugs (CVE-2019-2725 and CVE-2017-10271) and a Drupal RCE flaw (CVE-2018-7600).

In September, Muhstik moved on to attack Confluence servers via CVE-2021-26084, and in December he focused on exploiting vulnerable Apache Log4j deployments.

The operation of CVE-2022-0543 started earlier this month and is still ongoing.

Timeline of Muhstik's activity
Timeline of Muhstik’s activity (Juniper)

A “Russian” payload

Muhstik named their payload “”, which is downloaded from C2 using wget or curl, saved as “/tmp.russ”, and finally executed.

The script will fetch variants of the Muhstik bot from an IRC server, while the bot supports receiving and parsing shell commands, flood commands, and SSH brute force.

Muhstik bot abilities as seen in code
Muhstik bot abilities as seen in its chains (Juniper)

In the past, Muhstik also uploaded an XMRig miner to the compromised host, but this does not appear in the recent campaign.

To protect your systems from the Muhstik gang, be sure to update your Redis package to the latest available version or switch to non-vulnerable tools such as Bionic or Trusty.

For more information on mitigation and security tips, see the Debian Security Advisory Where Ubuntu Security Bulletin On the question.

Source link

Steven L. Nielsen