Log4Shell-IOCs

Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell exploit targeting CVE-2021-44228 in Log4j. (Blog | Twitter | LinkedIn)

Analyst Comments:

2021-12-13
- IOCs shared by these feeds are LOW-TO-MEDIUM CONFIDENCE we strongly recommend NOT adding them to a blocklist
- These could potentially be used for THREAT HUNTING and could be added to a WATCHLIST
- Curated Intel members at various organisations recommend to FOCUS ON POST-EXPLOITATION ACTIVITY by threats leveraging Log4Shell (ex. threat actors, botnets)
- IOCs include JNDI requests (LDAP, but also DNS and RMI), cryptominers, DDoS bots, as well as Meterpreter or Cobalt Strike
- Critical IOCs to monitor also include attacks using DNS-based exfiltration of environment variables (e.g. keys or tokens), a Curated Intel member shared an example
2021-12-14
- Curated Intel members profiled active exploitation threats
2021-12-15
- Curated Intel members parsed MEDIUM CONFIDENCE FEEDS to be MISP COMPATIBLE with the help of the KPMG-Egyde CTI Team
- Curated Intel members profiled active threat groups (nation states and organized crime)
2021-12-16
- Curated Intel members confirmed the previously unnamed "New Ransomware" is actually "TellYouThePass Ransomware", mostly targeting Chinese infrastructure
2021-12-17
- Curated Intel members parsed VETTED IOCs with the help of the Equinix Threat Analysis Center (ETAC)
- ETAC has also shared a diagram of threat actors, malware, and botnets, leveraging Log4Shell in the wild
2021-12-20
- ETAC has added MITRE ATT&CK TTPs of Threat Actors leveraging Log4Shell
- Curated Intel members parsed ALIENVAULT OTX MENTIONS to be MISP COMPATIBLE with the help of the KPMG-Egyde CTI Team
2021-12-21
- Curated Intel members parsed VULNERABLE PRODUCT LISTS to be CSV+XLSX COMPATIBLE with an automated workflow, pulling from NCSC-NL + CISA + SwitHak

`Indicators of Compromise (IOCs)`

Source	URL
GreyNoise (1)	https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217
Malwar3Ninja's GitHub	https://github.com/Malwar3Ninja/Exploitation-of-Log4j2-CVE-2021-44228/blob/main/Threatview.io-log4j2-IOC-list
Tweetfeed.live by @0xDanielLopez	https://twitter.com/0xdaniellopez/status/1470029308152487940?s=21
Azure Sentinel	https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv
URLhaus	https://urlhaus.abuse.ch/browse/tag/log4j/
Malware Bazaar	https://bazaar.abuse.ch/browse/tag/log4j/
ThreatFox	https://threatfox.abuse.ch/browse/tag/log4j/
Cronup	https://github.com/CronUp/Malware-IOCs/blob/main/2021-12-11_Log4Shell_Botnets
RedDrip7	https://github.com/RedDrip7/Log4Shell_CVE-2021-44228_related_attacks_IOCs
AbuseIPDB	`Google/Bing Dorks` site:abuseipdb.com "log4j", site:abuseipdb.com "log4shell", site:abuseipdb.com "jndi"
CrowdSec	https://gist.github.com/blotus/f87ed46718bfdc634c9081110d243166
Andrew Grealy, CTCI	https://docs.google.com/spreadsheets/d/e/2PACX-1vT1hFu_VlZazvc_xsNvXK2GJbPBCDvhgjfCTbNHJoP6ySFu05sIN09neV73tr-oYm8lo42qI_Y0whNB/pubhtml#
Bad Packets	https://twitter.com/bad_packets/status/1469225135504650240
NCSC-NL	https://github.com/NCSC-NL/log4shell/tree/main/iocs
Costin Raiu, Kaspersky	https://twitter.com/craiu/status/1470341085734051840?s=21
Kaspersky	https://securelist.com/cve-2021-44228-vulnerability-in-apache-log4j-library/105210/
SANS Internet Storm Center	https://isc.sans.edu/diary/Log4Shell+exploited+to+implant+coin+miners/28124
@cyber__sloth	https://twitter.com/cyber__sloth/status/1470353289866850305?s=21
SuperDuckToes	https://gist.github.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8
Nozomi Networks	https://www.nozominetworks.com/blog/critical-log4shell-apache-log4j-zero-day-attack-analysis/
Miguel Jiménez	https://hominido.medium.com/iocs-para-log4shell-rce-0-day-cve-2021-44228-98019dd06f35
CERT Italy	https://cert-agid.gov.it/download/log4shell-iocs.txt
RISKIQ	https://community.riskiq.com/article/57abbfcf/indicators
Infoblox	https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/log4j-exploit-harvesting/
Juniper Networks (1)	https://blogs.juniper.net/en-us/security/apache-log4j-vulnerability-cve-2021-44228-raises-widespread-concerns
Cyble	https://blog.cyble.com/2021/12/13/log4j-rce-0-day-vulnerability-in-java-actively-exploited/

`Threat Reports`

Source	Threat	URL
@GelosSnake	Kinsing	https://twitter.com/GelosSnake/status/1469341429541576715
@an0n_r0	Kinsing	https://twitter.com/an0n_r0/status/1469420399662350336?s=20
@zom3y3	Muhstik	https://twitter.com/zom3y3/status/1469508032887414784
360 NetLab (1)	Mirai, Muhstik	https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/
MSTIC (1)	Cobalt Strike	https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
Cronup	Kinsing, Katana-Mirai, Tsunami-Muhstik	https://twitter.com/1zrr4h/status/1469734728827904002?s=21
Cisco Talos	Kinsing, Mirai	https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
Profero	Kinsing	https://medium.com/proferosec-osm/log4shell-massive-kinsing-deployment-9aea3cf1612d
CERT.ch	Kinsing, Mirai, Tsunami	https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
IronNet	Mirai, Cobalt Strike	https://www.ironnet.com/blog/log4j-new-software-supply-chain-vulnerability-unfolding-as-this-holidays-cyber-nightmare
@CuratedIntel	TellYouThePass Ransomware	https://www.curatedintel.org/2021/12/tellyouthepass-ransomware-via-log4shell.html
@Laughing_Mantis	Log4j Worm	https://twitter.com/Laughing_Mantis/status/1470168079137067008
Lacework	Kinsing, Mirai	https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/
360 NetLab (2)	Muhstik, Mirai, BillGates (Elknot), XMRig, m8220, SitesLoader, Meterpreter	https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/
Trend Micro	Cobalt Strike, Kirabash, Swrort, Kinsing, Mirai	https://www.trendmicro.com/en_us/research/21/l/patch-now-apache-log4j-vulnerability-called-log4shell-being-acti.html
BitDefender	Khonsari Ransomware, Orcus RAT, XMRig, Muhstik	https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild
MSTIC (2)	PHOSPHORUS, HAFNIUM, Initial Access Brokers	https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
Cado Security (1)	Mirai, Muhstik, Kinsing	https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/
Cado Security (2)	Khonsari Ransomware	https://www.cadosecurity.com/analysis-of-novel-khonsari-ransomware-deployed-by-the-log4shell-vulnerability/
Valtix	Kinsing, Zgrab	https://valtix.com/blog/log4shell-observations/
Fastly	Gafgyt	https://www.fastly.com/blog/new-data-and-insights-into-log4shell-attacks-cve-2021-44228
Check Point	StealthLoader	https://research.checkpoint.com/2021/stealthloader-malware-leveraging-log4shell/
Juniper Networks (2)	XMRig	https://blogs.juniper.net/en-us/threat-research/log4j-vulnerability-attackers-shift-focus-from-ldap-to-rmi
AdvIntel	Conti	https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement
@JakubKroustek	NanoCore RAT	https://twitter.com/JakubKroustek/status/1471621708989837316
MSTIC (3)	Meterpreter, Bladabindi (njRAT), HabitsRAT, Webtoos	https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#ransomware-update
Cryptolaemus	Dridex, Meterpreter	https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/
CyberSoldiers	Dridex	https://github.com/CyberSoldiers/IOCs/blob/main/log4j_IoCs/Dridex_log4j
Cluster25	Dridex	https://github.com/Cluster25/feed/blob/main/log4shell/dridex/ioc
FortiGuard	Mirai-based "Worm"	https://www.fortiguard.com/threat-signal-report/4346/mirai-malware-that-allegedly-propagates-using-log4shell-spotted-in-the-wild

`Payload Examples`

Source	URL
GreyNoise (2)	https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890
Cloudflare	https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/
yt0ng	https://gist.github.com/yt0ng/8a87f4328c8c6cde327406ef11e68726
eromang	https://github.com/eromang/researches/tree/main/CVE-2021-44228
VX-Underground	https://samples.vx-underground.org/samples/Families/Log4J%20Malware/
Malware-Traffic-Analysis (PCAP)	https://www.malware-traffic-analysis.net/2021/12/14/index.html
rwincey	https://github.com/rwincey/CVE-2021-44228-Log4j-Payloads

`Threat Profiling`

Threat	Type	Profile: Malpedia	Profile: MITRE ATT&CK	Activity
Dridex	Banking Trojan	Dridex (Malware Family) (fraunhofer.de)	Didex, Software S0384	Command and Control, Tactic TA0011
Cobalt Strike	Attack tool usage	Cobalt Strike (Malware Family) (fraunhofer.de)	Cobalt Strike, Software S0154	Command and Control, Tactic TA0011
Meterpreter	Attack tool usage	Meterpreter (Malware Family) (fraunhofer.de)	N/A	Command and Control, Tactic TA0011
Orcus RAT	Attack tool usage	Orcus RAT (Malware Family) (fraunhofer.de)	N/A	Remote Access Software, Technique T1219
NanoCore RAT	Attack tool usage	NanoCore RAT (Malware Family) (fraunhofer.de)	NanoCore, Software S0336	Remote Access Software, Technique T1219
njRAT / Bladabindi	Attack tool usage	njRAT (Malware Family) (fraunhofer.de)	njRAT, Software S0385	Remote Access Software, Technique T1219
HabitsRAT	Attack tool usage	HabitsRAT (Malware Family) (fraunhofer.de)	N/A	Remote Access Software, Technique T1219
BillGates / Elknot	Botnet expansion (DDoS)	BillGates (Malware Family) (fraunhofer.de)	N/A	Acquire Infrastructure: Botnet, Sub-technique T1583.005
Bashlite (aka Gafgyt)	Botnet expansion (DDoS)	Bashlite (Malware Family) (fraunhofer.de)	N/A	Acquire Infrastructure: Botnet, Sub-technique T1583.005
Mirai (AKA Katana)	Botnet expansion (DDoS, miner)	Mirai (Malware Family) (fraunhofer.de)	N/A	Acquire Infrastructure: Botnet, Sub-technique T1583.005
Muhstik (AKA Tsunami)	Botnet expansion (DDoS, miner)	Tsunami (Malware Family) (fraunhofer.de)	N/A	Resource Hijacking, Technique T1496
Kinsing	Botnet expansion (miner)	Kinsing (Malware Family) (fraunhofer.de)	Kinsing, Software S0599	Resource Hijacking, Technique T1496
m8220	Botnet expansion (miner)	N/A	N/A	Resource Hijacking, Technique T1496
Swrort	Downloader usage (stager)	Swrort Stager (Malware Family) (fraunhofer.de)	N/A	Ingress Tool Transfer, Technique T1105
SitesLoader	Downloader usage (stager)	N/A	N/A	Ingress Tool Transfer, Technique T1105
Kirabash	Infostealer usage	N/A	N/A	OS Credential Dumping: /etc/passwd and /etc/shadow, Sub-technique T1003.008
XMRig	Mining tool usage	N/A	N/A	Resource Hijacking, Technique T1496
Zgrab	Network scanner tool usage	N/A	N/A	Network Service Scanning, Technique T1046
TellYouThePass Ransomware	Ransomware usage	N/A	N/A	Data Encrypted for Impact, Technique T1486
Khonsari Ransomware	Ransomware usage	N/A	N/A	Data Encrypted for Impact, Technique T1486
Conti Ransomware	Ransomware usage	Conti (Malware Family) (fraunhofer.de)	Conti, Software S0575	Data Encrypted for Impact, Technique T1486

`Threat Groups`

Grouping	Actor	Mentioned Alias	Other Alias EternalLiberty	Threat Report	Note
State actor	China	HAFNIUM	N/A	MSTIC (2)	Attacking infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.
State actor	Iran	PHOSPHORUS	APT35, TEMP.Beanie, TA 453, NewsBeef, CharmingKitten, G0003, CobaltIllusion, TG-2889, Timberworm, C-Major, Group 41, Tarh Andishan, Magic Hound, Newscaster	MSTIC (2)	Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit.
Organized Cybercrime	Russia	Wizard Spider	Trickbot Gang, FIN12, GOLD BLACKBURN, Grim Spider	AdvIntel	Wizard Spider is the developer of the Conti Ransomware-as-a-Service (RaaS) operation which has a high number of affiliates, and a Conti affiliate has leveraged Log4Shell in Log4j2 in the wild
Organized Cybercrime	Russia	EvilCorp	Indrik Spider, GOLD DRAKE	Cryptolaemus	EvilCorp are the developers of the Dridex Trojan, which began life as a banking malware but has since shifted to support the delivery of ransomware, which has included BitPaymer, DoppelPaymer, Grief, and WastedLocker, among others. Dridex is now being dropped following the exploitation of vulnerable Log4j instances

A collection of intelligence about Log4Shell and its exploitation activity

Related tags

Overview

Log4Shell-IOCs

Analyst Comments:

`Indicators of Compromise (IOCs)`

`Threat Reports`

`Payload Examples`

`Threat Profiling`

`Threat Groups`

Owner

Curated Intel

Deltaspy - an advanced keylogger that can send keylogs and screenshots to gmail

A fast sub domain brute tool for pentesters

Facebook account cloning/hacking advanced tool + dictionary attack added | Facebook automation tool

MD5-CRACKER - A gmail brute force app created with python3

Discord exploit allowing you to be unbannable.

Android Malware Behavior Deleter

Fuck - Multi Brute Force 🚶‍♂

Separate handling of protected media in Django, with X-Sendfile support

一款辅助探测Orderby注入漏洞的BurpSuite插件，Python3编写，适用于上xray等扫描器被ban的场景

Archive-Crack - A Tools for crack file archive

Python directory buster, multiple threads, gobuster-like CLI, web server brute-forcer, URL replace pattern feature.

Cloud One Container Security Runtime Events Forwarder

Infection Monkey - An automated pentest tool

A brute force tool for password-protected zip file

Trustme: #1 quality TLS certs while you wait

A quick script to spot the usage of Unicode Bidi (bidirectional) characters that could lead to an Invisible Backdoor

Security System using OpenCV

Tool to scan for RouterOS (Mikrotik) forensic artifacts and vulnerabilities.

Dome - Subdomain Enumeration Tool. Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.

Bandit is a tool designed to find common security issues in Python code.