Business, Security

How Log4Shell is being used to deliver cryptomining malware

Brendyn Lotz

15th December 2021

Since it was discovered last week, a vulnerability that can be exploited in Log4j has had system administrators up until the early hours of the morning and the situation has become worse.

According to Check Point Research, its researchers have detected a cyberattack which leverages the Log4j vulnerability to deliver a previously undetected NET-based malware variant.

So far, Check Point Research has detected the attack in Israel, the United States, South Korea, Switzerland and Cyprus. The attacks are directed at businesses in the finance, banking and software industries.

“The attack exploits the Log4j vulnerability to download a Trojan malware, which triggers a download of an .exe file, which in turn installs a crypto-miner. Once the crypto-miner is installed, it starts using the victim’s resources in order to mine for cryptocurrency for the attackers’ profit, all without the victim knowing they have been compromised. As part of the malware’s evasion techniques, all relevant functions and file names are obfuscated to avoid detection by static analysis mechanisms,” writes Check Point Research.

While we’ve seen this before now, the cybersecurity firm appears worried by the sheer amount of attempts at exploiting Log4j it has witnessed. So far, Check Point Research has tracked over 1 million attempts to allocate the vulnerability, 46 percent of which are by known hacking groups.

Worse still, the exploit is rapidly evolving.

“This is clearly one of the most serious vulnerabilities on the internet in recent years, and it’s spreading like wild fire,” explains head of Threat Intelligence at Check Point Software, Lotem Finkelstein.

“At some points, we saw over 100 hacks a minute related to the LogJ4 vulnerability. We’re seeing what appears to be an evolutionary repression, with new variations of the original exploit being introduced rapidly — over 60 in less than 24 hours. The number of combinations of how to exploit it gives the attacker many alternatives to bypass newly introduced protections. It means that one layer of protection is not enough, and only multi layered security posture would provide a resilient protection,” remarks Finkelstein.

If you are not yet taking Log4j seriously, you really should. The utility is present in many pieces of software and environments and it’s vital that responsible parties take action sooner rather than later.

As we learned just yesterday from Paul Ducklin, senior security advisor at Sophos, even something as simple as a Raspberry Pi could contain the utility.

Check everything and then check it again to insure you’re not falling prey to ne’er-do-wells online.

[Image – CC 0 Giulia May via Unsplash ]

About Author

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.