Botnets, Packers, and Python Threats
The Muhstik botnet is exploiting a flaw in Apache RocketMQ. Hackers are misusing legitimate packer software to distribute malware, and Cybersecurity experts have uncovered a malicious Python package used to deliver infostealer malware. Learn all about them in today’s security roundup.
Muhstik Botnet Exploiting Apache RocketMQ
The Muhstik botnet is exploiting a newly discovered vulnerability in Apache RocketMQ to support its capabilities to run Distributed Denial-of-Service (DDoS) operations. The vulnerability (CVE-2023-33246) allows the botnet to increase the scale of its attacks by infiltrating compromised systems, creating risks for servers connected to the internet.
The vulnerability is exploited by running a shell script from a remote IP. This script is then used to download the Muhstik malware binary (“pty3”), which is copied to multiple directories to ensure the attack’s persistence.
The botnet primarily targets IoT devices and Linux servers. Approximately 5,000 instances of RocketMQ are thought to be vulnerable. The botnet can move laterally, gather metadata, and contact command and control domains. The Apache Software Foundation has patched the flaw and has urged users to prioritize updating their RocketMQ installations to minimize the threat.
See More: Probe Launched: Alleged LAUSD Data Theft Can Expose Student to Fraud
Fraudulent Python Packages Used to Target Developers
Cybersecurity researchers have found a malicious Python package on PyPI called “crytic-compilers” that fools system users into installing the Lumma information stealer malware. The package uses a typosquatting strategy to exploit spelling mistakes by developers looking for the legitimate “crytic-compile” library.
The package was found to have been downloaded more than 400 times before it was taken down. Some versions of the package were even found to install legitimate packages to avoid detection via modifying the setup.py script.
The package deceives developers, resulting in the installation of malware on Windows systems. The discovery of the Python package highlights the need for developers to verify the authenticity of packages while following strict security policies to prevent the compromise of systems leading to data theft.
Legitimate Packer Software Misused by Hackers
Hackers have been found misusing packer software such as Themida, BoxedApp, and UPX to distribute malware surreptitiously. The strategy has been used to hide malicious payloads such as information stealers and trojans, circumventing standard security measures. According to the report, the technique is increasingly used, challenging cybersecurity professionals.
Some of the prominent malware distributed through this strategy include AsyncRAT, Agent Tesla, LodaRAT, LockBit, Neshta, NanoCore, Quasar RAT, NjRAT, RedLine, Ramnit, RevengeRAT, Remcos, ZXShell and XWorm.
The threat is not detected by endpoint security software. It resists analysis, emphasizing the need for investments in advanced threat detection systems and training for better vigilance to counter such strategies effectively.
These developments highlight the growing sophistication of cyber attacks and the requirement for organizations to be proactive in setting up safeguards. Measures such as software upgrades, advanced threat detection infrastructure implementation, and awareness to verify third-party packages are more critical than ever.
