Researchers with Lacework have published new findings on Muhstik, the long-active botnet currently employing several web application exploits to mine cryptocurrency and target Oracle WebLogic and Drupal. The botnet is monetized via XMRig, cgmining and with DDoS attack services.
Lacework researchers note: “Muhstik leverages IRC for its command and control and has consistently used the same infrastructure since its inception. The primary method of propagation for IoT devices is via home routers however there are multiple attempted exploits for Linux server propagation. Targeted routers include GPON home router, DD-WRT router, and the Tomato router… (its activities are) tied to cryptomining and Linux backdoors.