Log4j opening doors for new attacks, new report reveals

Avast released its Q4/2021 threat report, revealing an immediate exploitation of the Log4j vulnerability by coinminers, RATs, botnets, ransomware and APTs in December 2021 have put CISO departments under pressure.

Furthermore, Avast’s threat researchers observed the revival of the Emotet botnet, and a 40 per cent rise in coinminers, posing risks for consumers and businesses alike. The Q4 findings likewise show an increase in adware, technical support scams on desktop and subscription scams and spyware on Android devices, targeting consumers. At the same time, Avast saw less ransomware and remote access trojan (RAT) activity.

According to Jakub Kroustek, Avast malware research director, towards the end of the year, the extremely dangerous, ubiquitous and easy to abuse Log4j vulnerability made CISO departments sweat as it was weaponised by attackers spreading everything from coinminers to bots to ransomware.

"On the other hand, we are happy to report decreases in RAT, information stealer and ransomware attacks.

"RAT activity died down thanks to the holidays, with bad actors even going as far as copying the DcRat remote access Trojan and renaming it 'SantaRat'.

"We saw a slight decrease in information stealer activity, likely due to a significant decrease in infections through password and information stealer Fareit, which dropped by 61 per cent vs. the previous quarter," Kroustek said.

Cyber criminals attacking businesses via Log4j vulnerability and via RATs abusing Azure and AWS

The vulnerability in Log4j, a Java logging library, proved extremely dangerous for businesses because of the ubiquity of the library and the ease of exploitation.

VIEW ALL

Avast researchers observed coinminers, RATs, bots, ransomware and APT groups abusing the vulnerability. Various botnets abused the vulnerability, including the infamous Mirai botnet. Most bot attacks were just probes testing the vulnerability, but Avast also noticed numerous attempts to load potentially malicious code.

For instance, some RATs were spread using the vulnerability, the most prevalent of which were NanoCore, AsyncRat and Orcus. A low-quality ransomware, called Khonsari, was the first ransomware the researchers saw exploiting the vulnerability.

In addition to exploiting the Log4j vulnerability to spread RATs, cyber criminals exploited the CVE-2021-40449 vulnerability, which was used to elevate permissions of malicious processes by exploiting the Windows kernel driver.

Attackers used this vulnerability to download and launch the MistarySnail RAT.

A very important cause of high NanoCore and AsyncRat detections was caused by a malicious campaign abusing the cloud providers, Microsoft Azure and Amazon Web Service (AWS). In this campaign, malware attackers used Azure and AWS as download servers for their malicious payloads to attack businesses.

Avast researchers also saw the bad actors behind Emotet rewrite several of its parts, reviving their machinery, and taking the botnet market back with the latest Emotet reincarnation.

Adware, coinminers, and tech support scams targeting consumers

Desktop adware and rootkit activity increased in Q4/2021.

Avast researchers believe these trends are related to the Cerbu rootkit, which can hijack browser homepages and redirect site URLs according to the rootkit configuration. Cerbu can therefore easily be deployed and configured for adware, annoying victims with unwanted ads and capable of adding a backdoor to victims’ machines.

While the bitcoin price increased at the end of 2021, the number of coinminers spreading increased by 40 per cent, often via infected web pages and pirated software.

CoinHelper was one of the prevalent coinminers very active throughout Q4/2021, mostly targeting users in Russia and the Ukraine. Coinminers stealthily abuse a user's computing power to mine cryptocurrencies, which can cause high electricity bills and impact the lifespan of the user’s hardware.

Additionally, CoinHelper harvests various information about its victims including their geolocation, antivirus solution they have installed and hardware they are using. Despite observing multiple cryptocurrencies configured to be mined, including Ethereum and bitcoin, Monero stood out to Avast researchers in particular.

Monero is designed to be anonymous, however, the wrong usage of addresses and the mechanics of how mining pools work, enabled the researchers to gain deeper insights into the malware authors’ Monero mining operation. They found that the total monetary gain from the CoinHelper coinminer was over $485,000 ($339,694.86 USD) as of 29 November 2021. In the month of December, it mined an additional amount close to $5,000 ($3,446.03 USD) ~15.162 XMR, ~.

CoinHelper is still actively spreading, with the ability to mine ~0.474 XMR every day.

The Avast threat researchers also observed a spike of tech support scams, tricking the user into believing they have a technical problem, and scamming them into calling a hotline where they will be scammed to pay high support fees or grant remote access to their system.

Premium SMS subscription scams and spyware stealing Facebook credentials spreading on mobile devices

The Avast Threat Labs noted two mobile threats in the report: UltimaSMS and Facestealer.

Ultima SMS, a premium SMS subscription scam resurfaced in the last few months. In October, Ultima SMS apps were available on the Play Store, mimicking legitimate applications and games, often featuring catchy adverts.

Once downloaded, they prompted users to enter their phone number to access the app. Subsequently, users were subscribed to a premium SMS service that can cost up to $10 per week. The actors behind UltimaSMS extensively used social media to advertise their applications and accrued over 10 million downloads as a result.

Facestealer, a spyware designed to steal Facebook credentials, resurfaced on multiple occasions in Q4/2021. The malware masquerades as photo editors, horoscopes, fitness apps and others. After using the app for a period of time, it prompts the user to sign in to Facebook to continue using the app, without adverts.

Kroustek explained the havoc ransomware caused in the first three quarters of 2021 triggered a coordinated cooperation of nations, government agencies and security vendors to hunt down ransomware authors and operators, and it is believed all of this resulted in a significant decrease in ransomware attacks in Q4/2021.

"The ransomware risk ratio decreased by an impressive 28 per cent compared to Q3/2021. We hope to see a continuation of this trend in Q1/2022, but we are also prepared for the opposite," Kroustek concluded.

[Related: Hackers now using alternate personas to perpetrate ransomware attacks]

Nastasha Tupas

Nastasha is a Journalist at Momentum Media, she reports extensively across veterans affairs, cyber security and geopolitics in the Indo-Pacific. She is a co-author of a book titled The Stories Women Journalists Tell, published by Penguin Random House. Previously, she was a Content Producer at Verizon Media, a Digital Producer for Yahoo! and Channel 7, a Digital Journalist at Sky News Australia, as well as a Website Manager and Digital Producer at SBS Australia. Nastasha started her career in media as a Video Producer and Digital News Presenter at News Corp Australia.