Ransomware, Trojans, DDoS Malware and Crypto-Miners Delivered in Log4Shell Attacks

Every single day, hundreds of thousands of internet users are victims of some form of cyberattack. The number of hackers is daily growing and so are their strategies. The different forms of malware are constantly evolving. This forces users to be on guard against any lurking attacks. 

In recent times, there has been a wide range of attacks delivered. One such attack would be the ones meant to target and exploit a Log4j vulnerability. It was openly disclosed recently, that the malware Log4Shell and also LogJam are among some of the malware targeting vulnerabilities in Log4j.

There has been an increase in cybersecurity reports from several companies. Many cryptocurrency miners have been susceptible to attacks and some threats were intercepted. However, these threats have taken advantage of some of these vulnerabilities. The vulnerability was tracked by the formal name, CVE-2021-44228. It mainly implants malware onto a device such as; Trojans, ransomware, and other malicious malware.

Many cryptocurrency miners made certain observations about Log 4Shell and how it generally attacks systems. The attacks vary from well-known malware such as Kinsing and XMRig to less common ones and even some that are completely unidentified.

There are many ways hackers have leveraged the Log4Shell vulnerability. They can use botnets which is a network of robots. This network of computers works together to carry out malicious activity, often without the owners’ knowledge or consent. Botnets leveraged against Log4Shell, often specialize in DDoS (distributed denial of service) attacks. It ultimately disrupts communications, operations, and service provision. Some botnet DDoS attacks include Mirai and Elknot.

The majority of these attacks target Linux systems. However, their activities are not limited to just this system. Other attempts have been noted and made. For example, Bitdefender noticed and reported attempts made on a Windows system. The implantation was for new ransomware that uses file encryption. It is called Khonsari. The same company also noticed that there were some attempts, to download a Trojan. The Trojan in question is Orcus which is a remote access Trojan (RAT). 

Other hackers also exploited CVE-2021-44228 using it to implant a reverse shell also known as a bash reverse shell. These are used to gain access to a device, often without the owners’ consent or knowledge. Like a back door Ultimately, they are used for all sorts of malicious activities through remote commands that are issued later on.

 Many other companies have noticed and reported different attacks. For instance, Microsoft observed that there were attempts to install payloads from Cobalt Strike. These could ultimately be used for malicious intent such as data theft. Another company, Cisco, also issued reports of ATP actors taking advantage of the vulnerability. However, it did not provide further information.

Multiple IP addresses scan the internet frequently looking for any vulnerabilities. Since many research companies and cybersecurity firms conduct these scans regularly, they are probably the ones that can detect some of the vulnerabilities as well as the latest cyberattacks.

CVE-2021-44228 is fairly new. It was brought public disclosure on December 6th, however, the exploitation is believed to have begun days before the disclosure. The vulnerability was reported to the developers of Log4j.

After the disclosure, there was mass exploitation. This is believed to be due to the proof-of-concept (PoC) being weaponized which in turn escalated matters. When the mass exploitation was noted on December 9th, there was a surge in variations and emerging exploits. Checkpoint reported over 60 variations.

Apache Log4j has users in the hundreds of thousands or even millions. It has a wide range of uses. It is a popular tool among many companies globally. It can be used via an open-source library or by direct embedding onto their software. 

Log4Shell is a vulnerability that can be easily exploited. Using remote coding for execution can send special requests that target the system.

These requests produce a log which in turn leverages the lookup feature JNDI (java naming and directory interface). This submits a request to a server, usually controlled by the attacker. This is where it gets all its malicious data, finally executing it.