The first stage of the attack is to utilize exposed JNDI requests found in Log4J 2.0-2.16 to get the target system to execute a Base64 Encoded PowerShell script. The encoded portion contains the strings to download the payload. In most cases the attackers were observed to install crypto miners, although other malicious software/tools are possible including ransomware. The most common persistence mechanism was a scheduled task was created on the targeted system via a script. For more stealthy attacks attackers would leverage a webshell to maintain control over the system.

Although there have been a few groups targeting this attack one group, known as Prophet Spider. They are categorized as an Initial Access Group (IAG). An IAG will typically compromise hosts so that they can sell access later. Prophet Spider is known to sell access specifically for targeted ransomware attacks. Their attack patterns (TTPs) have been identified by the researchers at BlackBerry Research & Intelligence as well as their Incident Response (IR) teams.

The log4J/Log4Shell vulnerability with its ease of exploit and flexibility in payloads you can push is still a serious concern as many organizations are still not patching their known vulnerable systems. In top of this we are (still) seeing exposed VMWare Horizon servers as well as other hosts that are known to still be vulnerable to this exploit. This is despite massive efforts on the part of the security industry to respond to the original 0-Day. While there are next gen antimalware solutions that can stop the malicious pivot, patching ore disabling the exposed JNDI function is the only real way to ensure this vulnerability is not exploited in your environment.