Tuesday, November 12, 2024
HomeCryptocurrency hackLog4j Vulnerability Exploited Again To Deploy Crypto-Mining Malware

Log4j Vulnerability Exploited Again To Deploy Crypto-Mining Malware

Published on

Malware protection

Recent attacks exploit the Log4j vulnerability (Log4Shell) by sending obfuscated LDAP requests to trigger malicious script execution, which establishes persistence, gathers system information, and exfiltrates data. 

To maintain control, multiple backdoors and encrypted communication channels are established, while the attack’s persistence and ability to evade detection highlight the ongoing threat posed by the Log4j vulnerability.

Log4Shell, a critical vulnerability in the Apache Log4j library, was discovered in November 2021, with a CVSS score of 10, allowed attackers to execute arbitrary code remotely. 

- Advertisement - SIEM as a Service
Request details

Due to Log4j’s widespread use, it became a prime target for exploitation. Various threat actors, including nation-state groups and cybercriminals, quickly capitalized on this vulnerability. 

Groups like APT41 and Conti incorporated Log4Shell exploits into their operations, demonstrating its significant impact on global cybersecurity.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

On July 30, 2024, a Confluence honeypot detected a Log4Shell exploitation attempt from a known Tor exit node, 185.220.101 [34], marking the beginning of a new, opportunistic campaign. 

Upon further investigation, it was revealed that the attackers were leveraging the Log4Shell vulnerability to deploy XMRig, a cryptocurrency mining software, onto compromised systems, which highlights the ongoing threat posed by opportunistic threat actors who exploit vulnerabilities to carry out malicious activities.

Attack flow

An attacker exploited a Log4j vulnerability using a cleverly obfuscated payload containing an LDAP URL, which triggered the vulnerable Java application to retrieve and execute a malicious Java class from a remote server. 

The class downloaded a secondary script (“lte”) from another server and then executed it with root privileges. While its purpose is currently unknown, its ability to run arbitrary commands suggests potential for further malicious activity. 

The malicious Java class downloads an obfuscated Bash script from a remote server, which performs system reconnaissance, downloads and configures a cryptocurrency miner, establishes persistence using systemd or cron jobs, and sets up reverse shells for remote control. 

malicious script

It gathers comprehensive system information, including CPU details, OS version, user data, network connections, group memberships, running processes, and system uptime. 

This data is then transmitted to a remote server via an HTTP POST request.

To evade detection, the script self-destructs and clears its tracks by overwriting the bash history file and erasing the current shell’s command history.

An investigation by DataDog into potential Log4Shell exploitation revealed several indicators of compromise (IOCs).

A suspicious IP address, 185.220.101.34, along with domain names superr.buzz, cmpnst.info, nfdo.shop, and rirosh.shop, were identified. 

Additionally, suspicious file paths were found on the system, including /tmp/lte, potentially used for temporary storage, and potential attempts to execute commands through /bin/rcd, /bin/componist, and /bin/nfdo, which suggest a possible attempt to exploit the Log4Shell vulnerability to gain unauthorized access to the system. 

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial

Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

CISA Warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations of a critical vulnerability...

Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information

A significant vulnerability (CVE-2024-20445) has been discovered in Cisco Desk Phone 9800 Series, IP...