Mirai Malware that Allegedly Propagates Using Log4Shell Spotted in the Wild


FortiGuard Labs is aware of a new Mirai Linux variant that spreads using CVE-2021-44228 (Log4Shell). This is possibly the first Mirai variant equipped with Log4Shell exploit code incorporated alongside a Mirai variant, since the vulnerability came to light on December 9th 2021.

This sample was discovered by security researcher @1ZRR4H on Twitter.

How does this Mirai Variant Work? Is this a Worm?
The Mirai variant exploits CVE-2021-44228 and CVE-2017-17215 (Huawei HG532 Remote Code Execution). If the exploit is successful, the targeted machine is redirected to a LDAP server to pass the next stage payload (varies) to the victim machine.

Furthermore, chatter on OSINT channels have discussed whether or not this is a "worm." Our findings reveal that like a worm, it has the capability to propagate. But what makes it not a worm in the traditional sense is that all instructions are under control of the botmaster and it relies on an external resource for propagation. The botmaster can also start/stop various actions, unlike a worm. In conclusion, our analysis concludes that this Mirai variant is equipped with Log4Shell exploit code and Huawei H532 exploit code and does not classify as a worm.

What is Mirai malware?
Mirai malware is a Linux IoT malware that makes infected machines join a zombie network that is used for Distributed Denial of Service (DDoS) attacks. The first report of Mirai goes back to at least August 2016. Since the source code of Mirai was leaked publicly, there have been numerous threat actors and campaigns incorporating Mirai and related variants in the wild.

FortiGuard Labs previously published several blogs on Mirai IoT malware. Please refer to the APPENDIX for links to related blogs.

Why is this Significant?
This sample was reported to be one of the first worm-like samples exploiting Log4Shell. However, our analysis has concluded that this specific sample does not qualify nor can it be classified as a worm.

What is the Status of Coverage?
FortiGuard Labs provide the following AV coverage against this Mirai malware variant:


FortiGuard Labs provides the following IPS coverage against CVE-2017-17215:


For FortiEDR, all known samples have been added to our cloud intelligence and will be blocked if executed.

All network IOCs are blocked by the WebFiltering client.