Rewterz Threat Alert – Remcos RAT – Active IOCs
March 29, 2022Rewterz Threat Alert – Cobalt Strike Malware – Active IOCs
March 29, 2022Rewterz Threat Alert – Remcos RAT – Active IOCs
March 29, 2022Rewterz Threat Alert – Cobalt Strike Malware – Active IOCs
March 29, 2022Severity
Medium
Analysis Summary
Muhstik malware has been around since 2017, and we assume that it is based on a fork of the Mirai code and is currently affecting the cloud by way of several web application exploits. The botnet is monetized via crypto mining and with DDoS attack services. It targets a wide variety of web applications, including WordPress, Drupal, and WebDAV, Oracle’s WebLogic application server, as well an assortment of Internet-of-Things (IoT) and Small Office/Home Office (SOHO) devices. Muhstik uses its botnet to mount sizable distributed denial-of-service (DDoS) attacks, but it will also install several cryptocurrency miners on affected systems.
CVE-2022-0543 – Severity High
Redis could allow a local attacker to execute arbitrary code on the system, caused by a packaging issue leading to a Lua sandbox escape. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Impact
- Cryptocurrency Mining
- DDoS
Indicators of Compromise
IP
- 106[.]246[.]224[.]219
- 160[.]16[.]58[.]163
- 104[.]236[.]150[.]159
- 170[.]210[.]45[.]163
- 146[.]185[.]136[.]187
- 178[.]62[.]69[.]4
- 191[.]232[.]38[.]25
- 79[.]172[.]212[.]132
- 221[.]120[.]103[.]253
MD5
- 4aa80ec9c4af1849fb3f0c82cf82c99b
- 0abc01de8962867957bca89f6bd4c10e
- 97717ad2ff60ac257a5f66634fe06544
- 582a434ba0f2e04bd8b5495c50320068
- 60f50372901a3ab6be093cb9922fd75c
- 6865d47eeb5b85d949bdf5bd1ba27ac0
- 6255cea06cb5c8ac346fc39105cf9ab7
SHA-256
- 4817893f8e724cbc5186e17f46d316223b7683dcbc9643e364b5913f8d2a9197
- 46389c117c5f41b60e10f965b3674b3b77189b504b0aeb5c2da67adf55a7129f
- 95d1fca8bea30d9629fdf05e6ba0fc6195eb0a86f99ea021b17cb8823db9d78b
- 7d3855bb09f2f6111d6c71e06e1e6b06dd47b1dade49af0235b220966c2f5be3
- 16b4093813e2923e9ee70b888f0d50f972ac607253b00f25e4be44993d263bd2
- 28443c0a9bfd8a12c12a2aad3cc97d2e8998a9d8825fcf3643d46012f18713f0
- 36a2ac597030f3f3425153f5933adc3ca62259c35f687fde5587b8f5466d7d54
SHA-1
- 0a2ad5795cbafb1f2962c27ce0fe657704d146ee
- a7b49698f0562b887d1c5b96272b50e9e13cba80
- 9845039ea2423177944fb7666595002891ca28e3
- b3888d650646aa63423765e686a14ddc82ee52be
- 03fabbbc736a5c59b889e3675331c96263d4a4a6
- 8106f4cb86dcc2bd0c806889f8a8589b758b17ff
- 5fcceec2fe69820a6c2c51aa72f9322197c3ab50
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
Update to the patched Versions of Redis here.