Log4j Vulnerability Exploited Again To Deploy Crypto-Mining Malware

Recent attacks exploit the Log4j vulnerability (Log4Shell) by sending obfuscated LDAP requests to trigger malicious script execution, which establishes persistence, gathers system information, and exfiltrates data. 

To maintain control, multiple backdoors and encrypted communication channels are established, while the attack’s persistence and ability to evade detection highlight the ongoing threat posed by the Log4j vulnerability.

Log4Shell, a critical vulnerability in the Apache Log4j library, was discovered in November 2021, with a CVSS score of 10, allowed attackers to execute arbitrary code remotely. 

Due to Log4j’s widespread use, it became a prime target for exploitation. Various threat actors, including nation-state groups and cybercriminals, quickly capitalized on this vulnerability. 

Groups like APT41 and Conti incorporated Log4Shell exploits into their operations, demonstrating its significant impact on global cybersecurity.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

On July 30, 2024, a Confluence honeypot detected a Log4Shell exploitation attempt from a known Tor exit node, 185.220.101 [34], marking the beginning of a new, opportunistic campaign. 

Upon further investigation, it was revealed that the attackers were leveraging the Log4Shell vulnerability to deploy XMRig, a cryptocurrency mining software, onto compromised systems, which highlights the ongoing threat posed by opportunistic threat actors who exploit vulnerabilities to carry out malicious activities.

An attacker exploited a Log4j vulnerability using a cleverly obfuscated payload containing an LDAP URL, which triggered the vulnerable Java application to retrieve and execute a malicious Java class from a remote server. 

The class downloaded a secondary script (“lte”) from another server and then executed it with root privileges. While its purpose is currently unknown, its ability to run arbitrary commands suggests potential for further malicious activity. 

The malicious Java class downloads an obfuscated Bash script from a remote server, which performs system reconnaissance, downloads and configures a cryptocurrency miner, establishes persistence using systemd or cron jobs, and sets up reverse shells for remote control. 

It gathers comprehensive system information, including CPU details, OS version, user data, network connections, group memberships, running processes, and system uptime. 

This data is then transmitted to a remote server via an HTTP POST request.

To evade detection, the script self-destructs and clears its tracks by overwriting the bash history file and erasing the current shell’s command history.

An investigation by DataDog into potential Log4Shell exploitation revealed several indicators of compromise (IOCs).

A suspicious IP address, 185.220.101.34, along with domain names superr.buzz, cmpnst.info, nfdo.shop, and rirosh.shop, were identified. 

Additionally, suspicious file paths were found on the system, including /tmp/lte, potentially used for temporary storage, and potential attempts to execute commands through /bin/rcd, /bin/componist, and /bin/nfdo, which suggest a possible attempt to exploit the Log4Shell vulnerability to gain unauthorized access to the system. 

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial