Skip to content

A collection of intelligence about Log4Shell and its exploitation activity.

Notifications You must be signed in to change notification settings

curated-intel/Log4Shell-IOCs

Repository files navigation

logo

Log4Shell-IOCs

Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell exploit targeting CVE-2021-44228 in Log4j. (Blog | Twitter | LinkedIn)

Analyst Comments:

  • 2021-12-13
    • IOCs shared by these feeds are LOW-TO-MEDIUM CONFIDENCE we strongly recommend NOT adding them to a blocklist
    • These could potentially be used for THREAT HUNTING and could be added to a WATCHLIST
    • Curated Intel members at various organisations recommend to FOCUS ON POST-EXPLOITATION ACTIVITY by threats leveraging Log4Shell (ex. threat actors, botnets)
    • IOCs include JNDI requests (LDAP, but also DNS and RMI), cryptominers, DDoS bots, as well as Meterpreter or Cobalt Strike
    • Critical IOCs to monitor also include attacks using DNS-based exfiltration of environment variables (e.g. keys or tokens), a Curated Intel member shared an example
  • 2021-12-14
  • 2021-12-15
  • 2021-12-16
  • 2021-12-17
  • 2021-12-20
    • ETAC has added MITRE ATT&CK TTPs of Threat Actors leveraging Log4Shell
    • Curated Intel members parsed ALIENVAULT OTX MENTIONS to be MISP COMPATIBLE with the help of the KPMG-Egyde CTI Team
  • 2021-12-21
  • 2021-12-22
    • Curated Intel members added very basic FALSE-POSITIVE FILTERING for threat hunting feed outputs, using selected MISP warning lists, primarily to remove false-positives of large DNS resolvers (among others)
  • 2021-12-29
    • Added Securonix Autonomous Threat Sweep vetted IoC's and TTP's
  • 2022-01-10
    • Updated MSTIC (4) report now tracks a China-based double-extortion ransomware operator, DEV-0401, who deployed NightSky ransomware via VMWare Horizon initial access
  • 2022-01-11
    • SentinelOne shared their analysis of cybercrime actors leveraging Log4j one month since disclosure, with new info on the Emotet botnet using Log4j for payload hosting
  • 2022-03-03
    • Threat hunting feeds updated by KPMG-Egyde CTI

Indicators of Compromise (IOCs)

Source URL
GreyNoise (1) https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217
Malwar3Ninja's GitHub https://github.com/Malwar3Ninja/Exploitation-of-Log4j2-CVE-2021-44228/blob/main/Threatview.io-log4j2-IOC-list
Tweetfeed.live by @0xDanielLopez https://twitter.com/0xdaniellopez/status/1470029308152487940?s=21
Azure Sentinel https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv
URLhaus https://urlhaus.abuse.ch/browse/tag/log4j/
Malware Bazaar https://bazaar.abuse.ch/browse/tag/log4j/
ThreatFox https://threatfox.abuse.ch/browse/tag/log4j/
Cronup https://github.com/CronUp/Malware-IOCs/blob/main/2021-12-11_Log4Shell_Botnets
RedDrip7 https://github.com/RedDrip7/Log4Shell_CVE-2021-44228_related_attacks_IOCs
AbuseIPDB Google/Bing Dorks site:abuseipdb.com "log4j", site:abuseipdb.com "log4shell", site:abuseipdb.com "jndi"
CrowdSec https://gist.github.com/blotus/f87ed46718bfdc634c9081110d243166
Andrew Grealy, CTCI https://docs.google.com/spreadsheets/d/e/2PACX-1vT1hFu_VlZazvc_xsNvXK2GJbPBCDvhgjfCTbNHJoP6ySFu05sIN09neV73tr-oYm8lo42qI_Y0whNB/pubhtml#
Bad Packets https://twitter.com/bad_packets/status/1469225135504650240
NCSC-NL https://github.com/NCSC-NL/log4shell/tree/main/iocs
Costin Raiu, Kaspersky https://twitter.com/craiu/status/1470341085734051840?s=21
Kaspersky https://securelist.com/cve-2021-44228-vulnerability-in-apache-log4j-library/105210/
SANS Internet Storm Center https://isc.sans.edu/diary/Log4Shell+exploited+to+implant+coin+miners/28124
@cyber__sloth https://twitter.com/cyber__sloth/status/1470353289866850305?s=21
SuperDuckToes https://gist.github.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8
Nozomi Networks https://www.nozominetworks.com/blog/critical-log4shell-apache-log4j-zero-day-attack-analysis/
Miguel Jiménez https://hominido.medium.com/iocs-para-log4shell-rce-0-day-cve-2021-44228-98019dd06f35
CERT Italy https://cert-agid.gov.it/download/log4shell-iocs.txt
RISKIQ https://community.riskiq.com/article/57abbfcf/indicators
Infoblox https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/log4j-exploit-harvesting/
Juniper Networks (1) https://blogs.juniper.net/en-us/security/apache-log4j-vulnerability-cve-2021-44228-raises-widespread-concerns
Cyble https://blog.cyble.com/2021/12/13/log4j-rce-0-day-vulnerability-in-java-actively-exploited/
Securonix https://github.com/Securonix/AutonomousThreatSweep/tree/main/Log4Shell

Threat Reports

Source Threat URL
@GelosSnake Kinsing https://twitter.com/GelosSnake/status/1469341429541576715
@an0n_r0 Kinsing https://twitter.com/an0n_r0/status/1469420399662350336?s=20
@zom3y3 Muhstik https://twitter.com/zom3y3/status/1469508032887414784
360 NetLab (1) Mirai, Muhstik https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/
MSTIC (1) Cobalt Strike https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
Cronup Kinsing, Katana-Mirai, Tsunami-Muhstik https://twitter.com/1zrr4h/status/1469734728827904002?s=21
Cisco Talos Kinsing, Mirai https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
Profero Kinsing https://medium.com/proferosec-osm/log4shell-massive-kinsing-deployment-9aea3cf1612d
CERT.ch Kinsing, Mirai, Tsunami https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
IronNet Mirai, Cobalt Strike https://www.ironnet.com/blog/log4j-new-software-supply-chain-vulnerability-unfolding-as-this-holidays-cyber-nightmare
@CuratedIntel TellYouThePass Ransomware https://www.curatedintel.org/2021/12/tellyouthepass-ransomware-via-log4shell.html
@Laughing_Mantis Log4j Worm https://twitter.com/Laughing_Mantis/status/1470168079137067008
Lacework Kinsing, Mirai https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/
360 NetLab (2) Muhstik, Mirai, BillGates (Elknot), XMRig, m8220, SitesLoader, Meterpreter https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/
Trend Micro Cobalt Strike, Kirabash, Swrort, Kinsing, Mirai https://www.trendmicro.com/en_us/research/21/l/patch-now-apache-log4j-vulnerability-called-log4shell-being-acti.html
BitDefender Khonsari Ransomware, Orcus RAT, XMRig, Muhstik https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild
MSTIC (2) PHOSPHORUS, HAFNIUM, Initial Access Brokers https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
Cado Security (1) Mirai, Muhstik, Kinsing https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/
Cado Security (2) Khonsari Ransomware https://www.cadosecurity.com/analysis-of-novel-khonsari-ransomware-deployed-by-the-log4shell-vulnerability/
Valtix Kinsing, Zgrab https://valtix.com/blog/log4shell-observations/
Fastly Gafgyt https://www.fastly.com/blog/new-data-and-insights-into-log4shell-attacks-cve-2021-44228
Check Point StealthLoader https://research.checkpoint.com/2021/stealthloader-malware-leveraging-log4shell/
Juniper Networks (2) XMRig https://blogs.juniper.net/en-us/threat-research/log4j-vulnerability-attackers-shift-focus-from-ldap-to-rmi
AdvIntel Conti https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement
@JakubKroustek NanoCore RAT https://twitter.com/JakubKroustek/status/1471621708989837316
MSTIC (3) Meterpreter, Bladabindi (njRAT), HabitsRAT, Webtoos https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#ransomware-update
Cryptolaemus Dridex, Meterpreter https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/
CyberSoldiers Dridex https://github.com/CyberSoldiers/IOCs/blob/main/log4j_IoCs/Dridex_log4j
Cluster25 Dridex https://github.com/Cluster25/feed/blob/main/log4shell/dridex/ioc
FortiGuard Mirai-based "Worm" https://www.fortiguard.com/threat-signal-report/4346/mirai-malware-that-allegedly-propagates-using-log4shell-spotted-in-the-wild
CyStack Kworker backdoor https://cystack.net/research/the-attack-on-onus-a-real-life-case-of-the-log4shell-vulnerability
MSTIC (4) DEV-0401 https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#ransomware-update
DarkFeed AvosLocker https://twitter.com/ido_cohen2/status/1478418331434639363
Centre for Cyber security Belgium Farfli (Gh0st RAT), CobaltStrike https://twitter.com/FancyCyber/status/1482454456071598082?s=20

Payload Examples

Source URL
GreyNoise (2) https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890
Cloudflare https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/
yt0ng https://gist.github.com/yt0ng/8a87f4328c8c6cde327406ef11e68726
eromang https://github.com/eromang/researches/tree/main/CVE-2021-44228
VX-Underground https://samples.vx-underground.org/samples/Families/Log4J%20Malware/
Malware-Traffic-Analysis (PCAP) https://www.malware-traffic-analysis.net/2021/12/14/index.html
rwincey https://github.com/rwincey/CVE-2021-44228-Log4j-Payloads

Threat Profiling

Threat Type Profile: Malpedia Profile: MITRE ATT&CK Activity
Dridex Banking Trojan Dridex (Malware Family) (fraunhofer.de) Didex, Software S0384 Command and Control, Tactic TA0011
Cobalt Strike Attack tool usage Cobalt Strike (Malware Family) (fraunhofer.de) Cobalt Strike, Software S0154 Command and Control, Tactic TA0011
Meterpreter Attack tool usage Meterpreter (Malware Family) (fraunhofer.de) N/A Command and Control, Tactic TA0011
Orcus RAT Attack tool usage Orcus RAT (Malware Family) (fraunhofer.de) N/A Remote Access Software, Technique T1219
NanoCore RAT Attack tool usage NanoCore RAT (Malware Family) (fraunhofer.de) NanoCore, Software S0336 Remote Access Software, Technique T1219
njRAT / Bladabindi Attack tool usage njRAT (Malware Family) (fraunhofer.de) njRAT, Software S0385 Remote Access Software, Technique T1219
HabitsRAT Attack tool usage HabitsRAT (Malware Family) (fraunhofer.de) N/A Remote Access Software, Technique T1219
Gh0st RAT Attack tool usage Gh0st RAT (Malware Family) (fraunhofer.de) Gh0st RAT, Software S0032 Remote Access Software, Technique T1219
BillGates / Elknot Botnet expansion (DDoS) BillGates (Malware Family) (fraunhofer.de) N/A Acquire Infrastructure: Botnet, Sub-technique T1583.005
Bashlite (aka Gafgyt) Botnet expansion (DDoS) Bashlite (Malware Family) (fraunhofer.de) N/A Acquire Infrastructure: Botnet, Sub-technique T1583.005
Mirai (AKA Katana) Botnet expansion (DDoS, miner) Mirai (Malware Family) (fraunhofer.de) N/A Acquire Infrastructure: Botnet, Sub-technique T1583.005
Muhstik (AKA Tsunami) Botnet expansion (DDoS, miner) Tsunami (Malware Family) (fraunhofer.de) N/A Resource Hijacking, Technique T1496
Kinsing Botnet expansion (miner) Kinsing (Malware Family) (fraunhofer.de) Kinsing, Software S0599 Resource Hijacking, Technique T1496
m8220 Botnet expansion (miner) N/A N/A Resource Hijacking, Technique T1496
Swrort Downloader usage (stager) Swrort Stager (Malware Family) (fraunhofer.de) N/A Ingress Tool Transfer, Technique T1105
SitesLoader Downloader usage (stager) N/A N/A Ingress Tool Transfer, Technique T1105
Kirabash Infostealer usage N/A N/A OS Credential Dumping: /etc/passwd and /etc/shadow, Sub-technique T1003.008
XMRig Mining tool usage N/A N/A Resource Hijacking, Technique T1496
Zgrab Network scanner tool usage N/A N/A Network Service Scanning, Technique T1046
TellYouThePass Ransomware Ransomware usage N/A N/A Data Encrypted for Impact, Technique T1486
Khonsari Ransomware Ransomware usage N/A N/A Data Encrypted for Impact, Technique T1486
Conti Ransomware Ransomware usage Conti (Malware Family) (fraunhofer.de) Conti, Software S0575 Data Encrypted for Impact, Technique T1486
NightSky Ransomware Ransomware usage N/A N/A Data Encrypted for Impact, Technique T1486
AvosLocker Ransomware Ransomware usage N/A N/A Data Encrypted for Impact, Technique T1486

Threat Groups

Grouping Actor Mentioned Alias Other Alias EternalLiberty Threat Report Note
State actor China HAFNIUM N/A MSTIC (2) Attacking infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.
State actor Iran PHOSPHORUS APT35, TEMP.Beanie, TA 453, NewsBeef, CharmingKitten, G0003, CobaltIllusion, TG-2889, Timberworm, C-Major, Group 41, Tarh Andishan, Magic Hound, Newscaster MSTIC (2) Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit.
Organized Cybercrime Russia Wizard Spider Trickbot Gang, FIN12, GOLD BLACKBURN, Grim Spider AdvIntel Wizard Spider is the developer of the Conti Ransomware-as-a-Service (RaaS) operation which has a high number of affiliates, and a Conti affiliate has leveraged Log4Shell in Log4j2 in the wild
Organized Cybercrime Russia EvilCorp Indrik Spider, GOLD DRAKE Cryptolaemus EvilCorp are the developers of the Dridex Trojan, which began life as a banking malware but has since shifted to support the delivery of ransomware, which has included BitPaymer, DoppelPaymer, Grief, and WastedLocker, among others. Dridex is now being dropped following the exploitation of vulnerable Log4j instances
State actor China Aquatic Panda N/A CrowdStrike AQUATIC PANDA is a China-based targeted intrusion adversary with a dual mission of intelligence collection and industrial espionage. It has likely operated since at least May 2020. AQUATIC PANDA operations have primarily focused on entities in the telecommunications, technology and government sectors. AQUATIC PANDA relies heavily on Cobalt Strike, and its toolset includes the unique Cobalt Strike downloader tracked as FishMaster. AQUATIC PANDA has also been observed delivering njRAT payloads to targets.
To be determined China DEV-0401 N/A MSTIC (4) Attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. An investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware. These attacks are performed by a China-based ransomware operator that MSTIC is tracking as DEV-0401. DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo, and Rook, and has similarly exploited Internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473).
Organized Cybercrime Russia Mummy Spider TA542, MealyBug, GoldCrestwood SentinelOne Naturally, the Emotet crew has been taking advantage of Log4j as well. For example, vulnerable servers were quickly compromised and used for staging and payload hosting within the greater Emotet network.
Organized Cybercrime Russia Prophet Spider UNC961 BlackBerry The Initial Access Broker (IAB) group Prophet Spider has been exploiting the Log4j vulnerability in the Apache Tomcat component of VMware Horizon