Home / About / Threat Intelligence / Log4J exploits used to build a botnet

Overview

Researchers have discovered a new strain of malware named ‘B1txor20’ which targets Linux devices using the Log4j vulnerability.

Impact

The backdoor grants the attacker control over the device, read/write access to the file system, and gives them the ability to proxy traffic through the machine. It also installs a rootkit which would allow it to hide its activity from the device owner

Vulnerability Detection

Any DNS monitoring solution should be able to detect the suspicious subdomains typical of DNS tunnelling.

Affected Products

Linux

Containment, Mitigations & Remediations

Keep systems patched and updated to remove known vulnerabilities.

Indicators of Compromise

C2
webserv.systems
194.165.16.24:53
194.165.16.24:443

MD5
027d74534a32ba27f225fff6ee7a755f
0a0c43726fd256ad827f4108bdf5e772
24c49e4c75c6662365e10bbaeaeecb04
2e5724e968f91faaf156c48ec879bb40
3192e913ed0138b2de32c5e95146a24a
40024288c0d230c0b8ad86075bd7c678
43fcb5f22a53a88e726ebef46095cd6b
59690bd935184f2ce4b7de0a60e23f57
5f77c32c37ae7d25e927d91eb3b61c87
6b42a9f10db8b11a15006abced212fa4
6c05637c29b347c28d05b937e670c81e
7ef9d37e18b48de4b26e5d188a383ec8
7f4e74e15fafaf3f8b79254558019d7f
989dd7aa17244da78309d441d265613a
dd4b6e2750f86f2630e3aea418d294c0
e82135951c3d485b7133b9673194a79e
fd84b2f06f90940cb920e20ad4a30a63

Threat Landscape

Other botnets (Elknot, Gafgyt, Mirai) have also been targeting devices vulnerable to Log4J. A vulnerable version of the log4j dependency is the target of a significant percentage of downloads and continues to be linked in upstream software as a dependency. Despite wide publication and subsequent remediation of the issue, the statistics indicate that systems are still going unpatched or are not capable of being updated.

Mitre Methodologies

T1190 – Exploit Public-Facing Application
T1090 – Proxy
T1071 -Application Layer Protocol: DNS

Further Information

New Threat: B1txor20, A Linux Backdoor Using DNS Tunnel