Although the Muhstik botnet has been around since at least 2018, by December 2019 Palo Alto Networks had identified a new variant of the botnet that attacked and took control of Tomato routers.
Tomato firmware is well known, open and Linux based and is used by multiple router vendors as well as thousands of end-users who value its stability, VPN pass-through capability and advanced QoS control among other features. And back then, researchers searched Shodan for fingerprints, finding more than 4,600 exposed routers on the Internet.
Now, cloud security company Lacework has provided some additional analysis and observations related to Muhstik attack is carried out in several stages.
First, a payload file with the name “pty” followed by a number is downloaded from the attacker’s server. Sample URLs provided by Lacework include:
hxxp://159.89.156.190/.y/pty2
hxxp://167.99.39.134/.x/pty3
Once the installation is complete, Mushtik will contact the IRC channel to receive the commands.
Lacework claims that the original malware samples were uploaded to VirusTotal all at once before the Muhstik attacks were seen in the wild, and that these samples had multiple strings mentioning “shenzhouwangyun”, as in:
/home/wys/ shenzhouwangyun/shell/downloadFile/tomato.deutschland-zahlung.eu_nvr
This indicates that “Shen Zhou Wang Yun is probably the creator of the malware and not just the first to upload it”, or at least that’s what experts believe.
