Threat Signal Report

Mirai Malware that Allegedly Propagates Using Log4Shell Spotted in the Wild

description-logo Description

FortiGuard Labs is aware of a new Mirai Linux variant that spreads using CVE-2021-44228 (Log4Shell). This is possibly the first Mirai variant equipped with Log4Shell exploit code incorporated alongside a Mirai variant, since the vulnerability came to light on December 9th 2021.

This sample was discovered by security researcher @1ZRR4H on Twitter.

How does this Mirai Variant Work? Is this a Worm?
The Mirai variant exploits CVE-2021-44228 and CVE-2017-17215 (Huawei HG532 Remote Code Execution). If the exploit is successful, the targeted machine is redirected to a LDAP server to pass the next stage payload (varies) to the victim machine.

Furthermore, chatter on OSINT channels have discussed whether or not this is a "worm." Our findings reveal that like a worm, it has the capability to propagate. But what makes it not a worm in the traditional sense is that all instructions are under control of the botmaster and it relies on an external resource for propagation. The botmaster can also start/stop various actions, unlike a worm. In conclusion, our analysis concludes that this Mirai variant is equipped with Log4Shell exploit code and Huawei H532 exploit code and does not classify as a worm.

What is Mirai malware?
Mirai malware is a Linux IoT malware that makes infected machines join a zombie network that is used for Distributed Denial of Service (DDoS) attacks. The first report of Mirai goes back to at least August 2016. Since the source code of Mirai was leaked publicly, there have been numerous threat actors and campaigns incorporating Mirai and related variants in the wild.

FortiGuard Labs previously published several blogs on Mirai IoT malware. Please refer to the APPENDIX for links to related blogs.

Why is this Significant?
This sample was reported to be one of the first worm-like samples exploiting Log4Shell. However, our analysis has concluded that this specific sample does not qualify nor can it be classified as a worm.

What is the Status of Coverage?
FortiGuard Labs provide the following AV coverage against this Mirai malware variant:

ELF/Mirai.VI!tr

FortiGuard Labs provides the following IPS coverage against CVE-2017-17215:

Huawei.HG532.Remote.Code.Execution

For FortiEDR, all known samples have been added to our cloud intelligence and will be blocked if executed.

All network IOCs are blocked by the WebFiltering client.

Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.