threat actors started including the exploit code in Linux botnets of Log4Shell
Researchers at NetLab 360 reported that their Anglerfish and Apacket honeypots were already hit by attacks attempting to trigger the Log4Shell flaw in the Log4j library. The attempts were carried out by Muhstik and Mirai botnets in attacks aimed at Linux devices.
The Mirai variant behind the attacks spotted by NetLab 360 includes the following changes compared to the initial code:
table_init/table_lock_val/table_unlock_val and other mirai-specific configuration management functions have been removed.The attack_init function is also discarded, and the ddos attack function is called directly by the command processing function.The attackers used a uy top-level domain for the C2 infrastructure, which is uncommon.
The Muhstik variant used in the attacks includes a backdoor module, ldm, which adds an SSH backdoor public key to allow remote connections to the server.
After the public key is added to the ~/.ssh/authorized_keys file, the attacker can directly log into the remote server without password authentication.
Experts pointed out that Muhstik uses the TOR network for its reporting mechanism.“Before accessing the TOR network, Muhstik queries relay.l33t-ppl.inf through some publicly available DoH services. During this process, a number of DNS requests are generated.” reads the post published by NetLab 360.
Experts could check for connections to a list of DoH service providers to determine possible infections in case they do not use DoH on their network.The analysis of the ELF sample revealed that it supports DDoS and backdoor commands.
“Considering the huge impact of the Log4j vulnerability, we expect more botnets to support it to spread. We will keep an eye on this and will share new observations here.” concludes Netlab 360.
The report also includes IOCs for these attacks.
The post Two Linux botnets already exploit Log4Shell flaw in Log4j appeared first on Security Affairs.