June 2, 2023

Romanian cybersecurity technology company Bitdefender revealed that attempts are being made to target Windows machines with a new ransomware family called Khonsari, as well as a remote access trojan called Orcus by exploiting the recently revealed critical Log4j vulnerability.

The attack takes advantage of the remote code execution flaw to download an additional payload, a .NET binary, from a remote server that encrypts all files with the “.khonsari” extension and displays a ransom note containing the urges victims to make Bitcoin payment in exchange for recovering access to the files.


The vulnerability is tracked as CVE-2021-44228 and is also known by the nicknames “Log4Shell” or “Logjam”. An attacker could exploit this vulnerability by submitting a specially crafted request to a vulnerable system that could cause that system to execute arbitrary code,the request allows the attacker to take full control of the system. The attacker can then steal information, launch ransomware, or perform other malicious activities.

CISA has also added the Log4j vulnerability to its catalog of known exploited vulnerabilities, giving federal agencies a December 24 deadline to include patches for the flaw. Similar advice has previously been issued by government agencies in Austria, Canada, New Zealand and the UK

Till now the active exploitative attempts recorded in the wild have led to abuse of the flaw to bind the devices into a botnet and drop additional payloads such as Cobalt Strike and cryptocurrency miners. As a sign that the threat is evolving rapidly, researchers warned that 60 new variants of the original Log4j exploit were introduced in less than 24 hours. groups.


A vast majority of the exploitative attempts against Log4Shell originated in Russia (4,275), based on telemetry data from Kaspersky, followed by Brazil (2,493), the US (1,746), Germany (1,336), Mexico (1,177), Italy (1,094). ), France (1.008) and Iran (976). In comparison, only 351 attempts were made from China.

Leave a Reply

%d bloggers like this: