Sunday, September 15, 2024
HomeCryptocurrency hackLog4j Vulnerability Exploited Again To Deploy Crypto-Mining Malware

Log4j Vulnerability Exploited Again To Deploy Crypto-Mining Malware

Published on

Recent attacks exploit the Log4j vulnerability (Log4Shell) by sending obfuscated LDAP requests to trigger malicious script execution, which establishes persistence, gathers system information, and exfiltrates data. 

To maintain control, multiple backdoors and encrypted communication channels are established, while the attack’s persistence and ability to evade detection highlight the ongoing threat posed by the Log4j vulnerability.

Log4Shell, a critical vulnerability in the Apache Log4j library, was discovered in November 2021, with a CVSS score of 10, allowed attackers to execute arbitrary code remotely. 

- Advertisement - EHA
Request details

Due to Log4j’s widespread use, it became a prime target for exploitation. Various threat actors, including nation-state groups and cybercriminals, quickly capitalized on this vulnerability. 

Groups like APT41 and Conti incorporated Log4Shell exploits into their operations, demonstrating its significant impact on global cybersecurity.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

On July 30, 2024, a Confluence honeypot detected a Log4Shell exploitation attempt from a known Tor exit node, 185.220.101 [34], marking the beginning of a new, opportunistic campaign. 

Upon further investigation, it was revealed that the attackers were leveraging the Log4Shell vulnerability to deploy XMRig, a cryptocurrency mining software, onto compromised systems, which highlights the ongoing threat posed by opportunistic threat actors who exploit vulnerabilities to carry out malicious activities.

Attack flow

An attacker exploited a Log4j vulnerability using a cleverly obfuscated payload containing an LDAP URL, which triggered the vulnerable Java application to retrieve and execute a malicious Java class from a remote server. 

The class downloaded a secondary script (“lte”) from another server and then executed it with root privileges. While its purpose is currently unknown, its ability to run arbitrary commands suggests potential for further malicious activity. 

The malicious Java class downloads an obfuscated Bash script from a remote server, which performs system reconnaissance, downloads and configures a cryptocurrency miner, establishes persistence using systemd or cron jobs, and sets up reverse shells for remote control. 

malicious script

It gathers comprehensive system information, including CPU details, OS version, user data, network connections, group memberships, running processes, and system uptime. 

This data is then transmitted to a remote server via an HTTP POST request.

To evade detection, the script self-destructs and clears its tracks by overwriting the bash history file and erasing the current shell’s command history.

An investigation by DataDog into potential Log4Shell exploitation revealed several indicators of compromise (IOCs).

A suspicious IP address, 185.220.101.34, along with domain names superr.buzz, cmpnst.info, nfdo.shop, and rirosh.shop, were identified. 

Additionally, suspicious file paths were found on the system, including /tmp/lte, potentially used for temporary storage, and potential attempts to execute commands through /bin/rcd, /bin/componist, and /bin/nfdo, which suggest a possible attempt to exploit the Log4Shell vulnerability to gain unauthorized access to the system. 

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial

Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

Kali Linux 2024.3 Released With New Hacking Tools

Kali Linux 2024.3, the most recent iteration of Offensive Security's highly regarded Debian-based distribution...

Hacker Tricks ChatGPT to Get Details for Making Homemade Bombs

A hacker known as Amadon has reportedly managed to bypass the safety protocols of...

Citrix Workspace App Vulnerable to Privilege Escalation Attacks

Citrix released a security bulletin (CTX691485) detailing two critical vulnerabilities in the Citrix Workspace...

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign...

CosmicBeetle Exploiting Old Vulnerabilities To Attacks SMBs All Over The World

CosmicBeetle, a threat actor specializing in ransomware, has recently replaced its old ransomware, Scarab,...

Researchers Hacked Car EV Chargers To Execute Arbitrary Code

Researchers discovered flaws in the Autel MaxiCharger EV charger that make it potential to...