Researchers reported that their Anglerfish and Apacket honeypots were already hit by attacks attempting to trigger the Log4Shell flaw in the Log4j library. The attempts were carried out by Muhstik and Mirai botnets in attacks aimed at Linux devices.
The Mirai variant behind the attacks spotted by NetLab 360 includes the following changes compared to the initial code:
- table_init/table_lock_val/table_unlock_val and other mirai-specific configuration management functions have been removed.
- The attack_init function is also discarded, and the ddos attack function is called directly by the command processing function.
- The attackers used a uy top-level domain for the C2 infrastructure, which is uncommon.
The Muhstik variant used in the attacks includes a backdoor module, ldm, which adds an SSH backdoor public key to allow remote connections to the server.
After the public key is added to the ~/.ssh/authorized_keys file, the attacker can directly log into the remote server without password authentication. Experts pointed out that Muhstik uses the TOR network for its reporting mechanism.
Before accessing the TOR network, Muhstik queries relay.l33t-ppl.inf through some publicly available DoH services. During this process, a number of DNS requests are generated.
Experts could check for connections to a list of DoH service providers to determine possible infections in case they do not use DoH on their network. The analysis of the ELF sample revealed that it supports DDoS and backdoor commands.
It’s just a start, many threat Actors will start poundering with the attacks.
http://188.8.131.52:9999/Exploit.class http://184.108.40.206/.log/log http://220.127.116.11/.log/pty1; http://18.104.22.168/.log/pty2; http://22.214.171.124/.log/pty3; http://126.96.36.199/.log/pty4; http://188.8.131.52/.log/pty5; http://184.108.40.206:80/wp-content/themes/twentythirteen/m8 http://220.127.116.11/wp-content/themes/twentyseventeen/ldm