ELF64_MUHSTIK.A

This Exploit arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It joins an Internet Relay Chat (IRC) channel. It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Exploit arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

This malware arrives via the following means:

• Drupal Remote Code Execution Vulnerability (CVE-2018-7600)

Backdoor Routine

This Exploit joins any of the following Internet Relay Chat (IRC) channels:

• #muh{BLOCKED}

It executes the following commands from a remote malicious user:

• SH - execute shell command
• IRC - send arbitrary irc command to server
• HELP - send help instructions
• KILL - terminates client
• KILL_PORT - terminates socket/port
• GET - download arbitrary file from arbitrary url
• SSHX - ssh scan provided credentials
• SSH - ssh scan
• KILLALL - terminates all current packeting
• SERVER - set server
• CBACK - Connect back
• UNKOWN - send non-spoof udp flood on arbitrary site
• UDP - send udp flood on arbitrary site
• PAN - send syn flood on arbitrary site that will kill most network drivers
• HTTP - send http flood on arbitrary site
• STD2 - send std2 flood on arbitrary site

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}.{BLOCKED}.101.96:9090
• {BLOCKED}.{BLOCKED}.84.99:9090
• {BLOCKED}.{BLOCKED}.84.0:9090
• {BLOCKED}.{BLOCKED}.210.184:9090
• {BLOCKED}.{BLOCKED}.163.168:9090
• {BLOCKED}.{BLOCKED}.71.250:9090
• {BLOCKED}.{BLOCKED}.240.14:9090
• {BLOCKED}.{BLOCKED}.171.44:9090
• {BLOCKED}.{BLOCKED}.190.236:9090
• {BLOCKED}.{BLOCKED}.93.125:9090
• {BLOCKED}.{BLOCKED}.eu:9090