Muhstik Botnets are actively exploiting Drupal vulnerabilities

At the end of last month, Drupal, an open source content management system, issued a high-risk vulnerability warning. According to the report, the vulnerability exists in several subsystems of Drupal 7.x and 8.x, which may cause websites to be safely intruded.

On the 13th of this month, the 360 Cyber Security Institute observed a large number of scans of the vulnerability on the Internet. The analysis found that at least 3 groups of malicious software were exploiting this vulnerability. One group of malicious software has worm propagation behavior, and infections are significantly more than other malicious software. After analysis, the security agency considered it to be a long-standing family of botnets and named it muhstik. This is mainly because the binary file name and the communication protocol contained multiple strings.

The Muhstik botnet is quite complex and hard-coded 11 C2 domain names/IPs. Monetization methods include digging XMR digital tokens, digging up BTC digital tokens, and DDoS attacks.

Source: threatpost