Possible malware in https://github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zip
samjcs opened this issue · comments
I copied and pasted my reponse for the previous issue, creating a new one to raise attention.
Okay, I managed to grab a copy of this kit.... a really weird story.
I have it as a private repo and I reported it to github...
I originally found this exploit kit posted on this blog for a lab here. This was 12/10
https://www.insecurewi.re/setting-up-a-log4shell-lab-cve-2021-44228/
When I went to https://github.com/feihong-cs/JNDIExploit/ the files were actively being deleted as I was looking the repo and readme was updated to say "This repository has been lost"
There was an issue with two comments. The conversation went like this
"The malware link keeps going down brother"
"Thats going to happen"
I had to get the release from the commit history and it was literally deleted a few seconds after I downloaded the zip.
I reported all this to github.
Of course, I have not heard anything. We should have a trusted malware expert review these files. The web archive showed active development mid-late November
There's always the risk of random exploit code on GitHub being malicious, hence the warning in the README:
Run at your own risk, preferably in a VM in a sandbox environment.
You can find forks of JNDIExploit online, check the source code and build the JAR yourself. That's what I did when feihong-cs/JNDIExploit was still up, and the code seemed fine (although the JAR could be malicious).
Any chance your JNDIExploit version was considered malicious not because it's backdoored, but because it's considered as an exploitation tool?
Thanks for the reply, it was the behavior I witnessed firsthand on the repo that concerned me.
The repo files were getting deleted as I was reviewing the repo, and the read me had been updated with "This repository has been lost" like an attempt to make a poor 404 looking screen.
Followed with the highly suspicious comments about the malware link... going down.
To be clear, nothing flagged it as malware, i was just in the right place at the right time, and thought it was strange the repo was being deleted less then 48 hours after the 0-day disclosure.
The website I found the reference to your lab and the exploit kit was here.
https://www.insecurewi.re/setting-up-a-log4shell-lab-cve-2021-44228/
I did some basic OSINT gathering on the website, at the time it was only calling out to google ads when I walked through the request in burp.
The domain name is registered in Australlia, and the blog author has a small Twitter account. Relatively active when running his profile through a Twitter analysis.
I'll send you an invite to the private repo, this way you can include it in your lab if you feel like it's safe.
What concerned me were the high-rated CVEs for tomcat and spring. feihong-cs profile, he has a tool for creating a Memshell in Tomcat. You can see a scan of the exploit kit here.
https://github.com/samjcs/log4shell-possible-malware/runs/4501957810
feihong-cs has some high-profile followers which adds some credibility in my opinion, I don't want to smear his name, maybe he just did not want the tool being used., and doing the right thing by removing access. Why update the Readme, and delete files selectively instead of just making it private though? There where maybe 3-4 commits of files being deleted within 30 minutes of me landing on the page.
I don't remember the date and time of the Issue comments on the original repo, by the time I was going back to grab a screenshot it has been deleted. IF my memory is not failing the issue comments were created on 12/9.
I know APTs have been targeting virtualization technologies with log4shell according to a Threat intel podcast I was listing to a couple of days ago.
JNDIExploit.v1.2.zip contains the following CVEs
| CVE-2019-13116 | High | 9.8 | commons-collections-3.1.jar | Upgrade to version: commons-collections:commons-collections:3.2.2 | #8 |
|---|---|---|---|---|---|
| CVE-2017-15708 | High | 9.8 | commons-collections-3.1.jar | Upgrade to version: org.apache.synapse:Apache-Synapse:3.0.1;commons-collections:commons-collections:3.2.2 | #15 |
| CVE-2016-6814 | High | 9.8 | groovy-2.4.5.jar | Upgrade to version: org.codehaus.groovy:groovy:2.4.8,org.codehaus.groovy:groovy-all:2.4.8 | #10 |
| CVE-2016-1000027 | High | 9.8 | spring-web-5.2.3.RELEASE.jar | Upgrade to version: org.springframework:spring-web:5.3.0 | #6 |
| CVE-2015-7501 | High | 9.8 | commons-collections-3.1.jar | Upgrade to version: commons-collections:commons-collections:3.2.2;org.apache.commons:commons-collections4:4.1 | #20 |
| CVE-2015-7501 | High | 9.8 | commons-collections4-4.0.jar | Upgrade to version: commons-collections:commons-collections:3.2.2;org.apache.commons:commons-collections4:4.1 | #20 |
| CVE-2021-22118 | High | 7.8 | spring-web-5.2.3.RELEASE.jar | Upgrade to version: org.springframework:spring-web:5.2.15,5.3.7 | #4 |
| CVE-2021-41079 | High | 7.5 | tomcat-embed-core-8.5.58.jar | Upgrade to version: org.apache.tomcat:tomcat-coyote:8.5.64,9.0.44,10.0.4;org.apache.tomcat.embed:tomcat-embed-core:8.5.64,9.0.44,10.0.4 | #17 |
| CVE-2021-25122 | High | 7.5 | tomcat-embed-core-8.5.58.jar | Upgrade to version: org.apache.tomcat.embed:tomcat-embed-core:8.5.62,9.0.42,10.0.2;org.apache.tomcat:tomcat-coyote:8.5.62,9.0.42,10.0.2 | #14 |
| CVE-2020-27782 | High | 7.5 | undertow-core-2.2.2.Final.jar | Upgrade to version: io.undertow:undertow-core:2.2.4.Final | #7 |
| CVE-2015-6420 | High | 7.5 | commons-collections4-4.0.jar | Upgrade to version: commons-collections:commons-collections3.2.2,org.apache.commons:commons-collections4:4.1 | #19 |
| CVE-2015-6420 | High | 7.5 | commons-collections-3.1.jar | Upgrade to version: commons-collections:commons-collections3.2.2,org.apache.commons:commons-collections4:4.1 | #19 |
| CVE-2015-4852 | High | ||||
| 7.5 | commons-collections4-4.0.jar | Upgrade to version: commons-collections:commons-collections:3.2.2 | #3 | ||
| CVE-2015-4852 | High | 7.5 | commons-collections-3.1.jar | Upgrade to version: commons-collections:commons-collections:3.2.2 | #3 |
| CVE-2021-25329 | High | 7.0 | tomcat-embed-core-8.5.58.jar | Upgrade to version: org.apache.tomcat:tomcat:7.0.108, org.apache.tomcat:tomcat:8.5.63, org.apache.tomcat:tomcat:9.0.43,org.apache.tomcat:tomcat:10.0.2 | #5 |
| CVE-2020-5421 | Medium | 6.5 | spring-web-5.2.3.RELEASE.jar | Upgrade to version: org.springframework:spring-web:4.3.29,5.0.19,5.1.18,5.2.9 | #16 |
| CVE-2021-3597 | Medium | 5.9 | undertow-core-2.2.2.Final.jar | Upgrade to version: io.undertow:undertow-core:2.2.8.Final | #12 |
| CVE-2021-24122 | Medium | 5.9 | tomcat-embed-core-8.5.58.jar | Upgrade to version: org.apache.tomcat.embed:tomcat-embed-core:7.0.107,8.5.60,9.0.40,10.0.0-M10;org.apache.tomcat:tomcat-catalina:7.0.107,8.5.60,9.0.40,10.0.0-M10 | #18 |
| CVE-2020-17521 | Medium | 5.5 | groovy-2.4.5.jar | Upgrade to version: org.codehaus.groovy:groovy-all:2.4.21,2.5.14,3.0.7 | #11 |
| CVE-2021-33037 | Medium | 5.3 | tomcat-embed-core-8.5.58.jar | Upgrade to version: org.apache.tomcat:tomcat-coyote:8.5.68, 9.0.48, 10.0.7, org.apache.tomcat.embed:tomcat-embed-core:8.5.68, 9.0.48, 10.0.7 | #9 |
| CVE-2021-22096 | Medium | 4.3 | spring-web-5.2.3.RELEASE.jar | Upgrade to version: org.springframework:spring:5.2.18.RELEASE,5.3.12 |
Apologies for the length - I don't know that this discussion really belongs here, but since there are comments questioning the original repo's legitimacy, I wanted to see if I could find evidence for/against.
I was curious about the original repo's history and did some more digging. While it was definitely weird the way files were deleted commit-by-commit, none of the commit messages or issue comments appear particularly threatening/indicative of something nefarious.
I used BigQuery over the GH Archive public dataset to pull events from Oct 2021 through Dec 2021 (I'm over my free quota now) and created a summary using the JSON output and jq. Below are the commands and resulting data. I'll leave the translations up to those curious, but have attached some files with the json data.
BigQuery
/* repo actions from 202110 - 202112 */
/* repo went hidden/deleted between 13-14 Dec
SELECT created_at, type, repo, actor, payload, other,
FROM `githubarchive.month.2021*`
WHERE repo.name = 'feihong-cs/JNDIExploit'
AND _TABLE_SUFFIX BETWEEN '10' AND '12'Results
feihong-cs_JNDIExploit-gharchive-activity-202110.txt
feihong-cs_JNDIExploit-gharchive-activity-202111.txt
feihong-cs_JNDIExploit-gharchive-activity-2021201_20211220.txt
Parse PushEvents
jq '[.[] | select(.type == "PushEvent") | {created: .created_at, type: .type, "login" : .actor["login"], payload: .payload | fromjson }]' feihong-cs_JNDIExploit-gharchive-activity-2021*.json
Results
feihong-cs_JNDIExploit-gharchive-PushEvents-202110_202112.txt
Parse PushEvents summaries
jq '[.[] | select(.type == "PushEvent") | {created: .created_at, type: .type, "login" : .actor["login"], commits: .payload | fromjson | .commits}]' feihong-cs_JNDIExploit-gharchive-activity-2021*.json
Results
feihong-cs_JNDIExploit-gharchive-PushEvents-202110_202112-SUMMARY.txt
Parse IssuesEvents and IssueCommentEvents
jq '[.[] | select(.type == "IssueCommentEvent" or .type == "IssuesEvent") | {created: .created_at, type: .type, "login" : .actor["login"], payload: .payload | fromjson }]' feihong-cs_JNDIExploit-gharchive-activity-2021*.json
Results
feihong-cs_JNDIExploit-gharchive-activity-IssuesEvents_IssueCommentEvents-202110_202112.txt
Parse IssuesEvents and IssueCommentEvents summaries
jq '[.[] | select(.type == "IssueCommentEvent" or .type == "IssuesEvent") | {created: .created_at, type: .type, "login" : .actor["login"], "issue title": .payload | fromjson | .issue.title, "issue body": .payload | fromjson | .issue.body}]' feihong-cs_JNDIExploit-gharchive-activity-2021*.json
Results
feihong-cs_JNDIExploit-gharchive-IssueCommentEvent_IssuesEvent-202110_202112-SUMMARY.txt
The exact zip is in here since I Dockerized it if you don't have a local copy:
https://hub.docker.com/r/sickcodes/jndiexploit/tags
Just pull it out of /root and open it up in JD-GUI if you're concerned.
It wasn't removed from GitHub it was just moved to a burner account