Log4j Campaign Exploited to Deploy XMRig Cryptominer

The Uptycs Threat Research Team has uncovered a large-scale, ongoing operation within the notorious Log4j campaign. Initially detected within their honeypot collection, the team promptly initiated an in-depth analysis to unravel the complexities of this dynamic campaign.

The campaign is active, with over 1700+ dedicated IPs implicated in its operations. The ultimate objective of the campaign is to deploy XMRig cryptominer malware onto targeted systems, exploiting the CVE-2021-44228 vulnerability in Apache Log4j 2, a Remote Code Execution (RCE) vulnerability discovered in December 2021.

FoFA Query

The infection sequence is intricate, initiating with a meticulously crafted HTTP request by an attacker to a system employing Log4j. Log4j then generates a log entry incorporating the exploit string within the HTTP user-agent header. This exploit string triggers Log4j to initiate a network request to an attacker-controlled server (e.g., LDAP or HTTP servers) using the JNDI plugin.

The JNDI plugin is particularly advantageous for attackers as it allows them to fetch environment variables from the target system and define the URL and protocol resource for the JNDI network connection. By submitting a specially crafted request to a vulnerable system, attackers can leverage the system’s configuration variability to command its retrieval and execution of their malicious payload.

The primary objectives for exploiting this vulnerability include:

• Attaining access to the vulnerable server
• Deploying malware
• Extracting data

Various threat actors such as Lazarus, APT28, APT35, and DEV-0401 have exploited these vulnerabilities, deploying numerous malware strains. In Windows environments, they have targeted systems with malware like NineRAT, DLRAT, and BottomLoader. Similarly, in Linux environments, malware such as Kinsing, NightSky, Lockbit, Coinminer, Mirai, Tsunami, Mushtik botnet, and more have been deployed.

The Uptycs Team identified four distinct sets of Command-and-Control (C2) servers, each tasked with managing activities and establishing communication with compromised IPs to facilitate the distribution of XMRig cryptominers. An analysis of one of the C2 servers revealed the following:

• First set of C2 IPs: 139[.]99[.]171[.]1 and 146[.]59[.]16[.]84, both using port number 3306 for attacks.
• Base64 code: Decoding the Base64 code showed that once a victim machine is compromised, it initiates contact with a URL to fetch a shell script for deploying the XMRig miner, or alternatively, disseminates Mirai or Gafgyt malware.

The geographical distribution of affected countries was mapped, with China being the most impacted, followed by Hong Kong, the Netherlands, Japan, the United States, Germany, South Africa, and Sweden.