Trend says hackers have weaponized SpringShell to install Mirai malware


Getty Images

Researchers on Friday said that hackers are exploiting the recently discovered SpringShell vulnerability to successfully infect vulnerable Internet of Things devices with Mirai, an open source piece of malware that wrangles routers and other network-connected devices into sprawling botnets.

When SpringShell (also known as Spring4Shell) came to light last Sunday, some reports compared it to Log4Shell, the critical zero-day vulnerability in the popular logging utility Log4J that affected a sizable portion of apps on the Internet. That comparison proved to be exaggerated because the configurations required for SpringShell to work were by no means common. To date, there are no real-world apps known to be vulnerable.

Researchers at Trend Micro now say that hackers have developed a weaponized exploit that successfully installs Mirai. A blog post they published didn’t identify the type of device or the CPU used in the infected devices. The post did, however, say a malware file server they found stored multiple variants of the malware for different CPU architectures.

Trend Micro

“We observed active exploitation of Spring4Shell wherein malicious actors were able to weaponize and execute the Mirai botnet malware on vulnerable servers, specifically in the Singapore region,” Trend Micro researchers Deep Patel, Nitesh Surana, and Ashish Verma wrote. The exploits allow threat actors to download Mirai to the “/tmp” folder of the device and execute it following a permission change using “chmod.”

The attacks began appearing in researchers’ honeypots early this month. Most of the vulnerable setups were configured to these dependencies:

  • Spring Framework versions before 5.2.20, 5.3.18, and Java Development Kit (JDK) version 9 or higher 
  • Apache Tomcat
  • Spring-webmvc or spring-webflux dependency
  • Using Spring parameter binding that is configured to use a non-basic parameter type, such as Plain Old Java Objects (POJOs)
  • Deployable, packaged as a web application archive (WAR)

Trend said the success the hackers had in weaponizing the exploit was largely due to their skill in using exposed class objects, which offered them multiple avenues.

“For example,” the researchers wrote, “threat actors can access an AccessLogValve object and weaponize the class variable ‘class.module.classLoader.resources.context.parent.pipeline.firstpath’ in Apache Tomcat. They can do this by redirecting the access log to write a web shell into the web root through manipulation of the properties of the AccessLogValve object, such as its pattern, suffix, directory, and prefix.”

It’s hard to know precisely what to make of the report. The lack of specifics and the geographical tie to Singapore may suggest a limited number of devices are vulnerable, or possibly none, if what Trend Micro saw was some tool used by researchers. With no idea what or if real-world devices are vulnerable, it’s hard to provide an accurate assessment of the threat or provide actionable recommendations for avoiding it.