Muhstik Botnet Evolves to Attack Tomato Routers


Saturday, November 14th, 2020 |

The Muhstik botnet has been around since March of 2018 and has capabilities to infect Linux servers and Internet-of-Things (IoT) devices, thanks to its wormlike, self-propagating capabilities. The botnet uses multiple vulnerability exploits to infect Linux services, such as WebLogic, WordPress, and Drupal. It also compromises IoT routers such as GPON home routers and DD-WRT. A new variant was recently discovered by Unit 42 researchers which adds a scanner to the Muhstik botnet, allowing it to attack popular Tomato routers thanks to web authentication brute forcing. Muhstik mainly launches cryptocurrency mining and DDoS attacks in IoT bots to earn profit.

The new Muhstik variant scans Tomato routers on TCP port 8080 and bypasses the admin web authentication by default credentials bruteforcing. In Tomato routers, the default credentials are “admin:admin” and “root:admin”. Using popular IoT search engine, Shodan, researchers were able to estimate the infected volume of Tomato routers at about 4,600 potential victims on the Internet in total.

This new Muhstik botnet variant shows that IoT botnets keeps expanding their compromised footprint by adding new scanners and exploits to infect new IoT devices. Botnet developers are increasingly compromising IoT devices installed with open source firmware, which often lack the security updates and maintenance patches necessary to keep devices safeguarded. End users should be cautious when installing open source firmware and must follow the security guidelines in the firmware manual.


Sources:


Indicators of Compromise (IoCs):

  • C2
    • 46.149.233[.]35
    • 68.66.253[.]100
    • 185.61.149[.]22
  • Domains and URLs
    • hxxp://y.fd6fq54s6df541q23sdxfg[.]eu/nvr
    • hxxp://159.89.156[.]190/.y/pty1
    • hxxp://159.89.156[.]190/.y/pty3
    • hxxp://159.89.156[.]190/.y/pty5
    • hxxp://159.89.156[.]190/.y/pty6
    • s.shadow.mods[.]net
Share this: