Hands-On Muhstik Botnet: crypto-mining attacks targeting Kubernetes

The Sysdig Security Research team has identified new behaviors of the Muhstik Botnet, which now targets Kubernetes Pods for cryptocurrency mining. Muhstik, which has been active since 2017, exploits web applications like WordPress and Drupal, among others, to monetize through cryptomining and distributed denial-of-service (DDoS) attacks. The attack on a WordPress Kubernetes Pod involved using malicious PHP files and binaries such as xmra64 and xmrig64 to execute cryptomining activities. The process included gaining initial access through default credentials, deploying malware files for persistence, and establishing communication with the botnet's command and control servers. The article emphasizes the rising trend of cryptomining attacks and underscores the importance of using tools like Falco and Sysdig Secure for detecting and preventing such threats. Falco provides a customizable rule-based system for identifying abnormal behaviors, while Sysdig Secure enhances security by offering out-of-the-box rules and monitoring capabilities for Kubernetes environments.