Where the Latest Log4Shell Attacks Are Coming From

Analysts find at least 10 Linux botnets actively exploiting Log4Shell flaw.

Cybersecurity professionals across the world have been scrambling to shore up their systems against a critical remote code-execution (RCE) flaw (CVE-2021-44228) in the Apache Log4j tool, discovered just days ago.

Now under active exploit, the “Log4Shell” bug allows complete server takeover. Researchers have started to fill in the details on the latest Log4Shell attacks, and they reported finding at least 10 specific Linux botnets leading the charge.

Infosec Insiders Newsletter

First, analysts at NetLab 360 detected two waves of Log4Shell attacks on their honeypots, from the Muhstik and Mirai botnets.

Mirai Tweaked to Troll for Log4Shell Vulnerability 

The analysts at Netlab 360 said this is a new variant of Mirai with a few specific innovations. First, they pointed out the code piece “table_init/table_lock_val/table_unlock_val and other Mirai-specific configuration management functions have been removed.”

Secondly, they added, “The attack_init function is also discarded, and the DDoS attack function is called directly by the command-processing function.”

Finally, they found this iteration of the Mirai botnet uses a two-level domain for its command-and-control (C2) mechanis,, which the team at Netlab 360 said was “rare.”

Muhstik Variant Attacks Log4Shell

The other Linux botnet launched to take advantage of the Apache 4j Library flaw is Muhstik, a Mirai variant.

“In this captured sample, we note that the new Muhstik variant adds a backdoor module, ldm, which has the ability to add an SSH backdoor public key with the following installed backdoor public key,” Netlab 360 reported.

Once added, the public key lets a threat actor log onto the server without so much as a password, they explained.

“Muhstik takes a blunt approach to spread the payload aimlessly, knowing that there will be vulnerable machines, and in order to know who has been infected, Muhstik adopts TOR network for its reporting mechanism,” the Netlab 360 team said.

Following detection of those attacks, the Netlab 360 team found other botnets on the hunt for the Log4Shell vulnerability including: DDoS family Elknot; mining family m8220; SitesLoader; xmrig.pe; xmring.ELF; attack tool 1; attack tool 2; plus one unknown and a PE family.

Geography of Log4Shell Attacks

The majority of exploitation attempts against Log4Shell originate in Russia, according to Kaspersky researchers who found 4,275 attacks launched from Russia, by far the most of any other region. By comparison, 351 attempts were launched from China and 1,746 from the U.S.

So far, the Apache Log4j logging library exploit has spun off 60 mutations — and it only took less than a day.

This story is developing, so stay tuned to Threatpost for additional coverage.

There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.

Register NOW for the LIVE event!

Suggested articles