April 2, 2023

Researchers reported that their Anglerfish and Apacket honeypots were already hit by attacks attempting to trigger the Log4Shell flaw in the Log4j library. The attempts were carried out by Muhstik and Mirai botnets in attacks aimed at Linux devices.

Advertisements

The Mirai variant behind the attacks spotted by NetLab 360 includes the following changes compared to the initial code:

  • table_init/table_lock_val/table_unlock_val and other mirai-specific configuration management functions have been removed.
  • The attack_init function is also discarded, and the ddos attack function is called directly by the command processing function.
  • The attackers used a uy top-level domain for the C2 infrastructure, which is uncommon.

The Muhstik variant used in the attacks includes a backdoor module, ldm, which adds an SSH backdoor public key to allow remote connections to the server.

After the public key is added to the ~/.ssh/authorized_keys file, the attacker can directly log into the remote server without password authentication. Experts pointed out that Muhstik uses the TOR network for its reporting mechanism.

Before accessing the TOR network, Muhstik queries relay.l33t-ppl.inf through some publicly available DoH services. During this process, a number of DNS requests are generated.

Experts could check for connections to a list of DoH service providers to determine possible infections in case they do not use DoH on their network. The analysis of the ELF sample revealed that it supports DDoS and backdoor commands.

Advertisements
Advertisements

It’s just a start, many threat Actors will start poundering with the attacks.

IOC:

Mirai

C2:nazi.uy

URL:http://62.210.130.250/lh.sh http://62.210.130.250:80/web/admin/x86_64 http://62.210.130.250:80/web/admin/x86 http://62.210.130.250:80/web/admin/x86_g

Muhstik

C2:log.exposedbotnets.ru

URL:http://45.130.229.168:9999/Exploit.class http://18.228.7.109/.log/log http://18.228.7.109/.log/pty1; http://18.228.7.109/.log/pty2; http://18.228.7.109/.log/pty3; http://18.228.7.109/.log/pty4; http://18.228.7.109/.log/pty5; http://210.141.105.67:80/wp-content/themes/twentythirteen/m8 http://159.89.182.117/wp-content/themes/twentyseventeen/ldm

Tags:

1 thought on “Log4j Exploited Officialy !

  1. Pingback: Biggies Responds to Log4j Nightmare – TheCyberThrone

Leave a Reply

You may have missed

TheCyberThrone Security Week In Review –April 1st, 2023

TheCyberThrone Security Week In Review –April 1st, 2023

April 2, 2023
TheCyberThrone CyberSecurity Newsletter Top 5 Articles – March 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – March 2023

April 2, 2023
IBM Aspera Vulnerability Exploited to install Ransomware

IBM Aspera Vulnerability Exploited to install Ransomware

April 1, 2023
Italy temporarily bans ChatGPT

Italy temporarily bans ChatGPT

April 1, 2023
Cylance Ransomware Dissection

Cylance Ransomware Dissection

April 1, 2023
WordPress Elementor Pro Plugin Vulnerability

WordPress Elementor Pro Plugin Vulnerability

April 1, 2023
%d bloggers like this: