Two Linux botnets already exploit Log4Shell flaw in Log4j

Immediately after the disclosure of the Log4Shell flaw in Log4j library threat actors started including the exploit code in Linux botnets.

Researchers at NetLab 360 reported that their Anglerfish and Apacket honeypots were already hit by attacks attempting to trigger the Log4Shell flaw in the Log4j library. The attempts were carried out by Muhstik and Mirai botnets in attacks aimed at Linux devices.

The Mirai variant behind the attacks spotted by NetLab 360 includes the following changes compared to the initial code:

table_init/table_lock_val/table_unlock_val and other mirai-specific configuration management functions have been removed.
The attack_init function is also discarded, and the ddos attack function is called directly by the command processing function.

The attackers used a uy top-level domain for the C2 infrastructure, which is uncommon.

The Muhstik variant used in the attacks includes a backdoor module, ldm, which adds an SSH backdoor public key to allow remote connections to the server.

After the public key is added to the ~/.ssh/authorized_keys file, the attacker can directly log into the remote server without password authentication.

Experts pointed out that Muhstik uses the TOR network for its reporting mechanism.

“Before accessing the TOR network, Muhstik queries relay.l33t-ppl.inf through some publicly available DoH services. During this process, a number of DNS requests are generated.” reads the post published by NetLab 360.

Experts could check for connections to a list of DoH service providers to determine possible infections in case they do not use DoH on their network.

The analysis of the ELF sample revealed that it supports DDoS and backdoor commands.

“Considering the huge impact of the Log4j vulnerability, we expect more botnets to support it to spread. We will keep an eye on this and will share new observations here.” concludes Netlab 360.

The report also includes IOCs for these attacks.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.