Trend says hackers have weaponized SpringShell to install Mirai malware

fake images

Researchers said Friday that hackers are exploiting the recently discovered SpringShell vulnerability to successfully infect vulnerable IoT devices with Mirai, an open-source piece of malware that turns routers and other network-connected devices into sprawling botnets. .

When SpringShell (also known as Spring4Shell) came out last Sunday, some reports compared it to Log4Shell, the critical zero-day vulnerability in the popular logging utility Log4J that affected a significant portion of applications on the Internet. That comparison turned out to be overkill because the configurations required for SpringShell to work were by no means common. To date, no real-world applications are known to be vulnerable.

Trend Micro researchers now say that hackers have developed a weaponized exploit that successfully installs Mirai. A blog post they published did not identify the type of device or the CPU used on the infected devices. However, the post said that a malware file server they found stored multiple variants of the malware for different CPU architectures.


“We observed an active Spring4Shell exploit in which malicious actors were able to weaponize and execute the Mirai botnet malware on vulnerable servers, specifically in the Singapore region,” Trend Micro Deep Patel researchers Nitesh Surana and Ashish Verma wrote. The vulnerabilities allow threat actors to download Mirai to the “/tmp” folder of the device and run it after a permission change using “chmod”.

The attacks started showing up in the researchers’ honeypots earlier this month. Most of the vulnerable configurations were configured for these dependencies:

  • Spring Framework versions earlier than 5.2.20, 5.3.18, and Java Development Kit (JDK) version 9 or higher
  • Apache cat
  • Spring-webmvc or spring-webflux dependency
  • Using Spring parameter binding that is configured to use a non-basic parameter type, such as Plain Old Java Objects (POJOs)
  • Deployable, packaged as a web application archive (WAR)

Trend said the hackers’ success in putting together the exploit was largely due to their ability to use exposed class objects, which offered them multiple avenues.

“For example,” the researchers wrote, “threat actors can access an AccessLogValve object and set the class variable ‘class.module.classLoader.resources.context.parent.pipeline.firstpath’ in Apache Tomcat. They can do this by redirecting the access log to write a web shell to the web root by manipulating the properties of the AccessLogValve object, such as its pattern, suffix, directory, and prefix.”

It’s hard to know precisely what to do with the report. The lack of detail and the geographic link to Singapore may suggest that a very limited number of devices are vulnerable, or possibly none at all, if what Trend saw was some tool used by the researchers. With no idea what or if real-world devices are vulnerable, it’s difficult to provide an accurate threat assessment or provide practical recommendations to avoid it.

Leave a Comment