The Muhstik botnet was first exposed by Netlab360 researchers in May 2018. This botnet targeted mainly GPON routers. At Intezer we found that Muhstik is extending its spectrum of compromised devices by targeting web servers hosting phpMyAdmin.
PhpMyAdmin is a well known open-source tool written in PHP, intended to handle the administration of MySQL over the web. This tool is fairly popular among web developers due to the convenience of operating a database via a web browser. On the other hand, the use of these type of tools leads the front-end of a server to be publicly exposed, and in particular to phpMyAdmin, with a lack of protection against brute-forcing attempts.
This blog will cover how the Muhstik malware has been using phpMyAdmin scanners in its newer variants in order to extend the spectrum of its vulnerable devices discovery and acquisition.
Another recent IoT malware campaign that targeted phpMyAdmin servers was Operation Prowli, however, it is not very common to see these type of botnets targeting web servers.
We will also disclose the relationship between Muhstik’s phpMyAdmin Scanner and an open-source TCP port scanner tool called Pnscan, since we believe that the threat actors behind Muhstik borrowed and modified code from this project.
Hunting New Mushtik Variants
After the analysis of various known Muhstik samples, we observed that some lower detected samples exposed what seem to be new features added to the botnet. One of these examples is the following MIPS sample:
The following is the known Muhstik’s implant download method from Netlab360 report:
Muhstik GPON exploit deployment[/caption]
When analyzing the strings we notice that there are some uncommon Muhstik strings along with the known Muhstik payloads.
Known and unknown strings from the known Muhstik variant:
String reuse from Intezer Analyze™
After analyzing the code, we concluded that the new functionality was a phpMyAdmin scanner module. Furthermore, these new findings motivated us to index some lower detected variants in our database in order to evaluate if the discovery of further lower detected variants was possible.
Since we support ELF files in Intezer Analyze™ but do not currently support MIPS binaries, we decided to rely on our ‘String Reuse’ feature in order to find lower detected variants that shared large pieces of the phpMyAdmin Scanner code base based on string reuse.
Muhstik.PMA.Scan Variant Analysis:
This variant shares the same infrastructure as earlier Mushstik variants, possessing scan, report, download, and control stages.
Muhstick’s phpMyAdmin Scanner Infrastructure[/caption]
The scanner is a command line tool utility in which a file containing a list of CIDRs to bruteforce is expected as the first argument.
In every analyzed sample we noticed a recurrent pattern of hardcoding the report and download servers in the main function:
The scanner then attempts to obtain the CIDR list it requires to commence the scan. For this specific sample it obtains such lists from the download server, but we are aware of samples that contain the hardcoded IP blocks in the binary itself:
The download server (18.104.22.168) hosts implants to be downloaded by the compromised server and CIDRs to be used by the phpMyAdmin Scanner. In this sample, the download server host these files at /rescueshop_dev/x/:
We observe the names of the CIDRs correlate with the names that Muhstik’s aioscan implant used based on a Netlab360 report.
Older variants of Muhstik using CIDRs[/caption]
The download server also contains a series of files which are instances of Muhstik phpmyAdmin Scanner. These files were hosted in the root directory of the download server under the name pma<number>.
In addition, once the scanner obtains the IP block to target, it will begin brute forcing credentials in order to find vulnerable servers. The following image demonstrates one of the several ways that the scanner crafts http requests when attempting to brute force login credentials of a discovered phpMyAdmin login page:
Muhstick’s phpMyAdmin HTTP headers[/caption]
Once the scanner has found a vulnerable server, it will then disclose it to the report server.
Vulnerable phpMyAdmin URL crafting for report[/caption]
Report and Download Stages:
After the scanner has found a vulnerable phpMyAdmin server, it will send the full vulnerable url to the report server (22.214.171.124) in the following format:
The report server IP can also be seen in the Netlab360 report used to deploy Muhstik’s GPON exploit:
Throughout the investigation we were unable to find the exact operations of pma.php hosted in the report server, although we assess with high confidence that it was used to deploy a phpMyAdmin exploit since it shares the same convention as previously observed Muhstik exploit deployments.
Furthermore, we were able to find a core dump in VirusTotal of this same variant that exposed some of pma.php’s behavior.
Muhstik’s phpMyAdmin Scanner Core-dump VirusTotal Analysis[/caption]
When analyzing the stack segment in the core file we found the following:
Core-Dump Stack Overview[/caption]
We observed that paths of the downloaded implant and Muhstik phpMyAdmin Scanner instance were saved in suspicious environment variables. We also notice based on the $PWD environment variable that this core file proceeded from a WordPress server.
The binary was executed from /tmp/ directory and its name was pma6, which follows the same naming convention from the Muhstik phpMyAdmin Scanner instances hosted in its download server.
Additionally, the environment variable $SHLVL has a value of 3. The value of this environment variable increases by one each time a shell has started. In other words, for the time that the core dump was generated, the binary was running on 3 nested shells. These are solid indicators that this core file was generated in a compromised system.
Summarizing, this core dump leaves hints on how the attack chain was deployed. It seems that the implants may have been downloaded by an additional agent in the exploitation stage, and that the scanner was one piece of a broader post-exploitation tool set.
If we submit the implants to Intezer Analyze™ we observe that they are packed with a specific UPX variant.
Packed Muhstik sample[/caption]
In the related samples section we observe that the same UPX variant has been seen in previous Kaiten variants reported by MalwareMustDie.
After unpacking the sample we see that the unpacked Muhstik implant shares genes with Tsunami based on code reuse. Tsunami and STDBot are known to be derived from an IRC bot malware family called Kaiten. Therefore, this connection shows that Muhstik implants are also based on Kaiten.
This implant operates with different IRC servers, implementing SSH, HTTP scanning functionalities, and multiple DDoS features which extends the usual functionalities of regular Kaiten variants.
Based on Netlab360’s report we can assume that this botnet has been active since May 2018. However, when we analyze the username the botnet uses at some point in one of its IRC channels, we notice the date as a suffix. We believe this naming convention is used to track new variants among the botnet’s IRC channels. This sample’s fixed IRC username suggests the build was released one day after Netlab360 published its blog about Muhstik.
Origins of Muhstik phpMyAdmin Scanner
After researching this newer Muhstik variant, we noticed several other pieces of malware not related to Muhstik, but using a similar scanner.
Based on code similarities, we found that the original scanner in which Muhstik borrows code from is an open-source project called Pnscan. Pnscan was written by Peter Eriksson, a computer systems manager from Linköping University, Sweden.
Pnscan’s Github Repository[/caption]
It is important to understand that this Pnscan tool is not directly related to the Linux.Pnscan.2 worm reported by DrWeb in August, 2015. Pnscan is an open-source TCP port scanner tool which received its name as an abbreviation of Parallel Network Scanner.
When we compare some of the functions found in the un-stripped Muhstik phpMyAdmin Scanner against Pnscan, we observe undeniable evidence that they share a common code base. We can see this based on function, string, and symbol naming similarities.
Portion of Pnscan’s main function section
Portion of Pnscan’s Main Function[/caption]
Portion of Muhstick’s phpMyAdmin Main’s Function[/caption]
Muhstick’s phpMyAdmin Scanner get_ip_range Function[/caption]
Pnscan’s get_port_range Function[/caption]
Muhstick’s phpMyAdmin get_port_range[/caption]
PhpMyAdmin scanners seem to be an increased resource leveraged by threat actors to compromise systems in recent years. In particular, the Muhstik botnet has adopted new techniques to compromise a broader spectrum of systems.
The phpMyAdmin scanner variant appears to have fallen under the radar in comparison with previous variants targeting GPON routers and has not been seen or reported to date.
In order to mitigate these types of attacks against phpMyAdmin, stronger password conventions should be implemented, or some form of anti brute-forcing schemes such as account lockout policy, or Google’s reCaptcha, should be applied.
Furthermore, we have observed in the past the repercussions of publishing open-source projects that can be used for malicious purposes. This is another example demonstrating how threat actors borrow and modify publicly released code in order to conduct their campaigns.
Muhstik phpMyAdmin Scanner:
Muhstik WordPress Scanner
Mushtik implant unpacked
Mushtik GPON phpMyAdmin MIPS hybrid
Pnscan source code: https://github.com/ptrrkssn/pnscan