Khonsari – A new strain of malware delivered via the Apache Log4j RCE Vulnerability

Since the recent, successful exploitation of the Log4j RCE vulnerability, the number, and variety of malware payloads exploiting this vulnerability has continued to increase. An unseen strain of malware, known as Khonsari, is one example of the new payloads.

Regression testing of the Khonsari sample shows that BluVector would have detected it 44 months prior to its release.

What Is It?

As we described in our previous Threat Report, attackers are utilizing successful exploition of the Apache Log4j RCE vulnerability as an infection vector to install their malware payloads. As expected, following publication of that Threat Report, the number and variety of these malware payloads has continued to increase. One such payload, described by several researchers, was a previously unseen strain of malware, Khonsari, so named for the file extension added to files it encrypts.

Analysis of the Khonsari sample, performed as part of the research for this Threat Report, was more interesting than anticipated. Firstly, unlike most of the malware payloads installed by exploiting the Log4j vulnerability, this sample executes on , rather than on Linux. Also noteworthy, the sample is a small (13KB), .NET executable and does not implement any significant anti-analysis techniques. Meaning that from an analysis point of view, the sample decompiles cleanly. This indicates the sample was created by a relatively unsophisticated threat actor, which is consistent with the relative ease with which the Log4j vulnerability can be exploited.

The most significant attempt at anti-analysis by the authors, is merely to utilize a basic string obfuscation technique. In more technical terms, strings within the sample are obfuscated by XOR’ing each string with a unique key, consisting of an eight character, alphabetic string. A simple Python script was written during analysis in order to reverse the obfuscation. The decrypted strings are shown below, along with their specific key:

VyDBLfRt :  AQAB
ZsfHtxUW :  lPy6RT6hgfRmVkajw3ZwFCAb2nZBCHJka3xkmeknG7SA/aAct9urvSY5fCEfC7HDMkw+x4UNyueXa3rPM7GTHZuQSegmdOyNkG29hi+LhKCH4...
ZrvabgFb :    --- 
FtxHwtyx :  Fec*****iques.Properties.Resources
IXrKEAOE :  \HOW TO GET YOUR FILES BACK.TXT
ObukVnAe :  Your files have been encrypted and stolen by the Khonsari family.
            If you wish to decrypt , call (225) 287-**** or email k****khonsari@gmail.com.
            If you do not know how to buy btc, use a search engine to find exchanges.
            DO NOT MODIFY OR DELETE THIS FILE OR ANY ENCRYPTED FILES. IF YOU DO, YOUR FILES MAY BE UNRECOVERABLE.
            Your ID is:
QvhhaQoW :  .khonsari
ItAGEocK :  .ini
diYplLvh :  ink
GoaahQrC :  http://3.145.115.94/zambos_caldo_de_p.txt
qMIamfMA :  C:\
mRQjIJGG :  Downloads
zBlcAGJA :  .khonsari

Once the strings are deobfuscated and the code that utilizes them is reviewed, they reveal some interesting behaviors. First, the string “ink” appears to be a typo. The code snippet below shows that filenames ending with the deobfuscated strings “.khonsari” and “.ini” are skipped, however it is unlikely the author’s intention was to skip files ending with “ink.”It is  more probable that this string was intended to be “lnk”, the file extension for shortcut files.

Khonsari deobfuscated strings

Next, the following code snippet shows how the URL in the list of unobfuscated strings is used. The command which uses it is intended to download the contents of a URL to a string. However, in this case, the result is not assigned to a string. More significantly though, there is no error handling for this command. Therefore, in practice, if this URL is unreachable – as it was during analysis – the malware will crash. It’s unclear whether the authors intended this to function as a kill switch for the malware or not. Regardless, blocking access to this URL removes any threat this malware poses, as the encryption process has not yet begun at this point in the code.

Khonsari URL without error handling

However, it is the strings which are partially redacted in the list above that are the most interesting of all. The name of the resource included in the sample, the contact phone number, and email address in the ransom note are those of a legitimate business located in Baton Rouge, Louisiana. The contact phone number for the legitimate business has been changed since this malware was released, indicating they received a degree of unwanted attention as a result. It i common practice for malware authors to include blocks of text within their code. These are easily altered between variants and are used in an attempt to evade signatures created to detect previous versions of the malware.

In this case, it seems to achieve a completely different objective. It doesn’t provide the victim a way to contact the threat actor in order to negotiate, or pay, the ransom. The sample utilizes cryptographically secure encryption, meaning encrypted files cannot be decrypted with a valid decryption key. Therefore, the sample’s behavior actually characterizes it as destructive malware, not ransomware. It is not clear whether this malware is intended to be purely destructive, or if it is actually ransomware under active development, and this was a test of sorts.

FtxHwtyx : Fec*****iques.Properties.Resources
ObukVnAe : Your files have been encrypted and stolen by the Khonsari family.
If you wish to decrypt , call (225) 287-**** or email k****khonsari@gmail.com.
If you do not know how to buy btc, use a search engine to find exchanges.
DO NOT MODIFY OR DELETE THIS FILE OR ANY ENCRYPTED FILES. IF YOU DO, YOUR FILES MAY BE UNRECOVERABLE.
Your ID is:

Reverse engineering malware is often a lengthy process, requiring highly skilled and experienced individuals. This sample shows that the required reverse engineering effort can be proportional to the sophistication of the malware being analyzed. It also demonstrates that a sample may behave differently to how it appears on first glance. Finally, it is a reminder that sophisticated threat actors and malware are not necessary to cause damage to an organization’s infrastructure.

How Does It Propagate?

The Log4j RCE vulnerability, CVE-2021-44228, is used as the infection vector in these attacks. This malware does not contain the necessary code to self-propagate.

When/How Did BluVector Detect Khonsari?

The publicly available sample of Khonsari malware analyzed for this Threat Report was tested against BluVector’s patented Machine Learning Engine (MLE), and it was detected. Regression testing of this sample shows that BluVector would have detected it 44 months prior to its release.

Team member
Threat Team
BluVector’s Threat Report is written by BluVector’s expert security team, tasked with identifying the latest cybersecurity threats in the wild and when our solutions would protect customers from those threats.

All Threat Reports