Log4jShell has kept the security practitoners on their toes since end of last year, when the vulnerability raised some public attention.
A botnet, which was newly found is actively being developed that especially targets Linux PCs. It seeks to turn them into an army of bots capable of stealing sensitive information by installing rootkits, establishing reverse shells, and functioning as web traffic proxies.
Discovery of the malware
The discovery of the malware was made by researchers at Qihoo 360’s Network Security Research Lab, also known as 360 Netlab. Researchers discovered it on February 9. It happened when one of their honeypot systems caught their first sample. The malware was termed by the researchers as B1txor20.
The name is based on its proliferation exploiting the file name ‘b1t,’ the XOR encoding algorithm, and the 20-byte length of RC4 algorithm key. B1txor20 mainly focuses on Linux ARM, X64 CPU architecture devices. These are its main targets.
The malware tries to infect new systems. Therefore, the botnet employs attacks that target the Log4J vulnerability. Given that many companies employ the insecure Apache Log4j logging framework, it is a very enticing attack vector.
The researchers discovered four malware samples. These exhibited functionalities such as backdoor, data theft, arbitrary command execution and SOCKS5 proxy. It included malware downloading and rootkit installation too. After successfully infecting a machine, the malware uses the DNS tunnel to obtain and execute orders given by the server.
There is a total of 15 commands. Uploading system information, reading and writing files, running arbitrary system commands, beginning and terminating proxy services, and generating reverse shells are some of its important commands.
DNS tunnelling
The virus uses a method known as DNS tunnelling to establish communication channels with command-and-control (C2) servers. It is an old but still reliable technique used by threat actors to tunnel malware and data through DNS queries.
According to the researchers, the bot hides information using special encoding techniques and sends it to C2 as a DNS request. Following that, the bot communicates the stolen sensitive information, command execution results, and any other data that needs to be supplied.
C2 transmits the payload to the Bot side as a response to the DNS request after receiving it. As a result of the DNS protocol, Bot and C2 are able to communicate.
360 Netlab researchers also discovered that despite the malware’s makers offering a broader set of functionalities, not all of them were activated. This is most likely a hint that the disabled features are still problematic, and the makers of B1txor20 are trying to fix them and enable them in the future.
The 360 Netlab report also includes extra information, such as indicators of compromise (IOCs) and a list of all C2 instructions that are supported.
Recurring Log4J exploitation by botnets
Several threat actors, in their attacks, have used Log4Shell exploits. Among them were state-sponsored cyber groups. These were affiliated with governments in China, Iran, North Korea, and Turkey. These also included access brokers, which were used by ransomware gangs.
Since the Log4J vulnerability was disclosed, 360 Netlab researchers have discovered an increase in malware deployment on the wagon. Malware such as Elknot, Gafgyt, and Mirai were among them.
In December, for instance, they discovered that threat actors were using the Log4J security hole. They used it to infect susceptible Linux systems with Mirai and Muhstik Linux malware.
If you would like to hear about the latest on cybersecurity, subscribe to our newsletter, follow us on LinkedIn and share the informative articles with your followers on social media.
