We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Linux/BashMiner.A
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This threat represents a cryptocurrency mining payload associated with prior exploitation of the remote code execution vulnerability CVE-2021-44228 (also referred to as “Log4Shell”) in the Log4j component of Apache. This vulnerability affects Java-based applications that use Log4j 2 versions 2.0 through 2.14.1.
Attackers gain access to the target device and launch arbitrary remote code loaded from LDAP servers, which are logged and launched by the Log4j component. This can allow attackers to install cryptocurrency miners on a target device.
Read the following blogs for more information:
Microsoft Defender Antivirus or Microsoft Defender for Endpoint on Linux automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
- Confirm that this server has Apache and the Log4j component installed.
- Check the server timeline for other suspicious activities.
- Locate unfamiliar processes in the process tree. Check suspicious files for prevalence, their locations, and digital signatures.
- Submit relevant files for deep analysis and review file behaviors.
- Identify unusual system activity with system owners.
- Find related devices, network addresses, and files in the incident graph.
- Stop suspicious processes, isolate affected devices, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates. Update the Log4j component to log4j-2.17.0 or ensure that the device is set to start with log4j2.formatMsgNoLookups set to True.
- Contact your incident response team, or contact Microsoft support for investigation and remediation services
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
