An Analysis of Muse Hub Network Activity

• Jun 12, 2023 - 16:24

Overview:
A lot of users have been reporting suspicious activity from Muse Hub and have submitted their concerns in the forums. I've noticed that Malwarebytes has been blocking a lot of attempted network connections by Muse.Service.exe, which appears to be Muse Hub network activity. This is an analysis of that activity using OSINT to help others understand the nature of this activity.

Activity:
Inbound and outbound connection attempts from a range of IP addresses that have been marked as malicious by Malwarebytes and the OSINT community. Activity was detected in Malwarebytes logs and checked in OSINT reputation sites. Each detected IP address has been noted to utilise port 6881. Port 6881 is generally utilised for torrent activity.
https://www.speedguide.net/port.php?port=6881

These IP addresses have been noted by the OSINT community for a variety of malicious activity, including being noted as QakBot IOCs, SSH brute-force attacks, vulnerability scanning, and remote code execution. QakBot is categorised as a banking trojan, worm, and remote access trojan (RAT). See the OSINT links for each IP address for further context on each specific IP address.
https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware…

Other than one or two IP addresses being noted as QakBot IOCs, the activity in these particular connections does not immediately suggest QakBot activity. Having said that, one should still be wary of any connections to suspicious IP addresses.

Note that I've obfuscated the IP addresses below with square brackets to help prevent any unintentional connections.

Conclusion:
This activity appears to be torrent related per the usage of port 6881 and per the suggestions of those in the MuseScore community who are familiar with or involved in MuseScore and Muse Hub development. Muse Hub appears to be using these IP addresses for torrenting purposes, but the IP addresses themselves have been marked for various malicious activities in the present and past.

Recommendations:
Please consider the following steps if one wishes to prevent this network activity:
• Update to the latest version of Muse Hub – v.1.0.2.800 as of 2023-06-12.
• Disable Enable Community Acceleration and Startup in Muse Hub settings.
• Reboot your computer.
• Ensure Muse Hub is not running.
• Take note if Muse Hub is still making connections to IP addresses over port 6881.
• Make a bug report if these connections are still occurring.

Source of Activity:
• Filename: Muse.Service.exe
• File Path: C:\Program Files\WindowsApps\Muse.MuseHub_1.0.1.693_x64__rb9pth70m6nz6\
• SHA256: 5571B8598DD0AE9B1DBAD1708025E3B75C34E49D66E57B2DD01B616ECFE456DE
• VT Link: https://www.virustotal.com/gui/file/5571b8598dd0ae9b1dbad1708025e3b75c3…

91.177.173[.]10:
• Country: Belgium
• Port: 6881
• Categories: Trojan
• Direction: Inbound
• VT Link: https://www.virustotal.com/gui/ip-address/91.177.173.10
• AbuseIPDB Link: https://www.abuseipdb.com/check/91.177.173.10
• Spur Link: https://spur.us/context/91.177.173.10

89.144.195[.]59:
• Country: Austria
• Port: 6881
• Categories: Compromised, Malware
• Direction: Inbound, Outbound
• VT Link: https://www.virustotal.com/gui/ip-address/89.144.195.59
• AbuseIPDB Link: https://www.abuseipdb.com/check/89.144.195.59
• Spur Link: https://spur.us/context/89.144.195.59

87.236.176[.]237:
• Country: England
• Port: 6881
• Categories: Compromised
• Direction: Inbound
• VT Link: https://www.virustotal.com/gui/ip-address/87.236.176.237
• AbuseIPDB Link: https://www.abuseipdb.com/check/87.236.176.237
• Spur Link: https://spur.us/context/87.236.176.237

86.180.95[.]19:
• Country: England
• Port: 6881
• Categories: Compromised, Malware
• Direction: Outbound
• VT Link: https://www.virustotal.com/gui/ip-address/86.180.95.19
• AbuseIPDB Link: https://www.abuseipdb.com/check/86.180.95.19
• Spur Link: https://spur.us/context/86.180.95.19

85.206.163[.]148:
• Country: Lithuania
• Port: 6881
• Categories: Compromised
• Direction: Inbound
• VT Link: https://www.virustotal.com/gui/ip-address/85.206.163.148
• AbuseIPDB Link: https://www.abuseipdb.com/check/85.206.163.148
• Spur Link: https://spur.us/context/85.206.163.148

84.247.50[.]180:
• Country: Norway
• Port: 6881
• Categories: Compromised, Malware
• Direction: Outbound
• VT Link: https://www.virustotal.com/gui/ip-address/84.247.50.180
• AbuseIPDB Link: https://www.abuseipdb.com/check/84.247.50.180
• Spur Link: https://spur.us/context/84.247.50.180

68.183.53[.]77:
• Country: United States
• Port: 6881
• Categories: Compromised
• Direction: Inbound
• VT Link: https://www.virustotal.com/gui/ip-address/68.183.53.77
• AbuseIPDB Link: https://www.abuseipdb.com/check/68.183.53.77
• Spur Link: https://spur.us/context/68.183.53.77

45.134.140[.]159:
• Country: United States
• Port: 6881
• Categories: Trojan
• Direction: Outbound
• VT Link: https://www.virustotal.com/gui/ip-address/45.134.140.159
• AbuseIPDB Link: https://www.abuseipdb.com/check/45.134.140.159
• Spur Link: https://spur.us/context/45.134.140.159

206.189.7[.]178:
• Country: Netherlands
• Port: 6881
• Categories: Compromised
• Direction: Inbound
• VT Link: https://www.virustotal.com/gui/ip-address/206.189.7.178
• AbuseIPDB Link: https://www.abuseipdb.com/check/206.189.7.178
• Spur Link: https://spur.us/context/206.189.7.178

190.120.254[.]14:
• Country: Venezuala
• Port: 6881
• Categories: Compromised, Malware
• Direction: Outbound
• VT Link: https://www.virustotal.com/gui/ip-address/190.120.254.14
• AbuseIPDB Link: https://www.abuseipdb.com/check/190.120.254.14
• Spur Link: https://spur.us/context/190.120.254.14

188.166.26[.]88:
• Country: Netherlands
• Port: 6881
• Categories: Compromised
• Direction: Inbound
• VT Link: https://www.virustotal.com/gui/ip-address/188.166.26.88
• AbuseIPDB Link: https://www.abuseipdb.com/check/188.166.26.88
• Spur Link: https://spur.us/context/188.166.26.88

185.51.134[.]195:
• Country: Greece
• Port: 6881
• Categories: Compromised, Malware
• Direction: Outbound
• VT Link: https://www.virustotal.com/gui/ip-address/185.51.134.195
• AbuseIPDB Link: https://www.abuseipdb.com/check/185.51.134.195
• Spur Link: https://spur.us/context/185.51.134.195

185.209.196[.]174:
• Country: Germany
• Port: 6881
• Categories: Compromised, Malware
• Direction: Inbound, Outbound
• VT Link: https://www.virustotal.com/gui/ip-address/185.209.196.174
• AbuseIPDB Link: https://www.abuseipdb.com/check/185.209.196.174
• Spur Link: https://spur.us/context/185.209.196.174

167.94.138[.]51:
• Country: United States
• Port: 6881
• Categories: Compromised
• Direction: Inbound
• VT Link: https://www.virustotal.com/gui/ip-address/167.94.138.51
• AbuseIPDB Link: https://www.abuseipdb.com/check/167.94.138.51
• Spur Link: https://spur.us/context/167.94.138.51

163.125.234[.]218:
• Country: China
• Port: 6881
• Categories: Trojan
• Direction: Inbound
• VT Link: https://www.virustotal.com/gui/ip-address/163.125.234.218
• AbuseIPDB Link: https://www.abuseipdb.com/check/163.125.234.218
• Spur Link: https://spur.us/context/163.125.234.218

157.245.216[.]203:
• Country: United States
• Port: 6881
• Categories: Compromised
• Direction: Inbound
• VT Link: https://www.virustotal.com/gui/ip-address/157.245.216.203
• AbuseIPDB Link: https://www.abuseipdb.com/check/157.245.216.203
• Spur Link: https://spur.us/context/157.245.216.203

143.244.42[.]103:
• Country: Netherlands
• Port: 6881
• Categories: Compromised
• Direction: Outbound
• VT Link: https://www.virustotal.com/gui/ip-address/143.244.42.103
• AbuseIPDB Link: https://www.abuseipdb.com/check/143.244.42.103
• Spur Link: https://spur.us/context/143.244.42.103

138.199.60[.]166:
• Country: Singapore
• Port: 6881
• Categories: Compromised
• Direction: Inbound
• VT Link: https://www.virustotal.com/gui/ip-address/138.199.60.166
• AbuseIPDB Link: https://www.abuseipdb.com/check/138.199.60.166
• Spur Link: https://spur.us/context/138.199.60.166

138.199.21[.]245:
• Country: Japan
• Port: 6881
• Categories: Compromised, Malware
• Direction: Outbound
• VT Link: https://www.virustotal.com/gui/ip-address/138.199.21.245
• AbuseIPDB Link: https://www.abuseipdb.com/check/138.199.21.245
• Spur Link: https://spur.us/context/138.199.21.245

104.248.204[.]195:
• Country: Netherlands
• Port: 6881
• Categories: Compromised
• Direction: Inbound
• VT Link: https://www.virustotal.com/gui/ip-address/104.248.204.195
• AbuseIPDB Link: https://www.abuseipdb.com/check/104.248.204.195
• Spur Link: https://spur.us/context/104.248.204.195

104.248.203[.]191:
• Country: Netherlands
• Port: 6881
• Categories: Compromised
• Direction: Inbound
• VT Link: https://www.virustotal.com/gui/ip-address/104.248.203.191
• AbuseIPDB Link: https://www.abuseipdb.com/check/104.248.203.191
• Spur Link: https://spur.us/context/104.248.203.191

103.176.79[.]0:
• Country: Indonesia
• Port: 6881
• Categories: Compromised
• Direction: Outbound
• VT Link: https://www.virustotal.com/gui/ip-address/103.176.79.0
• AbuseIPDB Link: https://www.abuseipdb.com/check/103.176.79.0
• Spur Link: https://spur.us/context/103.176.79.0

Do you still have an unanswered question? Please log in first to post your question.