The ASEC analysis team has been monitoring attacks that are targeting vulnerable systems. This post will discuss cases of attacks targeting vulnerable Atlassian Confluence Servers that are not patched.
Atlassian’s Confluence is a major collaboration platform used by many companies across the globe. Being a web-based platform, services such as managing projects and collaboration are mainly provided by Confluence Servers (or Confluence Data Centers). As it is a solution used by many companies, many vulnerabilities targeting vulnerable Confluence Servers and Data Centers have been continuously discovered, with attackers targeting systems that are not patched.
The major attack cases are CVE-2021-26084 and CVE-2022-26134. They are remote code execution vulnerabilities used by attackers to target vulnerable systems that are not updated. If the attack succeeds, an attacker can install WebShell or malware to gain control of the infected system.
Attackers can check vulnerable systems through scanning, and they can also use search engines that can search servers connected to the Internet such as Shodan.
The post will list various attack cases such as CoinMiners installed by exploiting Atlassian Confluence Server vulnerabilities and WebShells installed to maintain persistence by the attackers.
Godzilla WebShell Attack Case
WebShell is a file that is uploaded to a web server and runs file navigation or system shell commands. Once it is installed in a system, an attacker can control the infected system while maintaining persistence. According to the Volexity blog on a discovery of CVE-2022-26134 vulnerability, the attacker installed a WebShell on a vulnerable Confluence Server to maintain persistence after a vulnerability attack. AhnLab’s ASD log also shows how multiple WebShells are being created in vulnerable Atlassian Confluence Server environments. Most of the WebShells used for the recent attacks are Godzilla JSP WebShells as shown below.
The “pass” from the JSP script shown above indicates “Password” that the attacker designated from Figure 3, used as an argument for the WebShell communication process. The “xc” is the MD5 hash value (first 16 characters) of the “Key” string designated by the attacker. It is used as an AES key during encrypting and decrypting packets.
Godzilla uses the dynamic class loading method. To do so, the attacker sends a malicious payload to the Java environment infected with a WebShell. It is the data encrypted with the AES key value designated in Figure 2. The WebShell decrypts the data to load a malicious Java class that can perform malicious behaviors by receiving commands from the attacker.
If the above procedure succeeds, the attacker can obtain the information of the infected system or send malicious commands from the panel shown below.
The Godzilla WebShell type mentioned above can be found in multiple vulnerable Atlassian Confluence Servers, with a single system possibly containing a number of Godzilla WebShells. The following is a list of paths where WebShells presumably created from Atlassian Confluence vulnerabilities are installed.
8220 Gang Miner Distribution Case
‘8220 Gang‘ is an attack group targeting vulnerable Windows and Linux-based servers using the CVE-2022-26134 vulnerability. If the vulnerability attack succeeds, the group ultimately installs Monero CoinMiner (XMRig). It was recently discovered that the group is also targeting Korean servers.
This group has been active since 2017 and is recently known to use the wallet address “46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ” for mining XMRig.
If the CVE-2022-26134 vulnerability attack succeds, additional powershell scripts are downloaded and executed with the following powershell command.
The script also acts as a downloader, installing the ‘ps1-6.exe’ malware from a certain URL.
‘ps1-6.exe’ downloads additional payloads into the memory from the URL below and dynamically loads them. The payloads loaded through the process becomes an injector that performs process hollowing to the normal process ‘InstallUtil.exe’.
The payload injected into InstallUtil.exe also performs downloading and injection. The ultimate payload is downloaded from 185.157.160[.]214:8080. After then, XMRig CoinMiner is injected into the normal process ‘AddInProcess.exe’.
Settings information needed for mining such as the mining pool address and the wallet address is run as an argument when the injector (InstallUtil.exe) runs ‘AddInProcress.exe’ as in Figure 10.
- Mining Pool Address: “51.79.175[.]139:8080”
- Wallet Address: “46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ”
- Password: “x”
z0Miner Attack Case
z0miner is a CoinMiner distributed using various vulnerabilities such as CVE-2021-26084. The Figure 11 shows AhnLab’s ASD log of z0miner being installed through powershell in a vulnerable Atlassian Confluence Server.
wi.txt is a powershell script that removes previously known Miners. It forcibly terminates them by searching based on programs registered to Task Scheduler, the command lines of currently running processes, port numbers in use, and process names.
It then installs XMRig Miner from the URL shown below. The settings data such as mining pool and the wallet address are saved in config.json. XMRig operates under the name of javae.exe in the %TEMP% path.
- Mining Pool Address: “pool.supportxmr[.]com:80”
- Wallet Address: “44Lu9jhKUuTVcSwGL1jLU6MKyFVNewBdL5mT13fjxLhFTSa5i6E5hMrAv1SmH16NYvc51GY6RnvQSKM4CDFFRov68aRFgYi”
- Password: “x”
Hezb CoinMiner Attack Case
An attempt to install Hezb CoinMiner on vulnerable Atlassian Confluence Servers was discovered in early June of 2022. Hezb is a CoinMiner recently distributed through the CVE-2022-26134 vulnerability. The figure below shows a log of powershell run by the Tomcat process installing Hezb. kill.bat is the initial batch malware used for Hezb attacks.
kill.bat disables real-time scan of Windows Defender and downloads and runs mad.bat that installs actual Hezb.
mad.bat is a malware that installs actual CoinMiner. It uses NSSM (dsm.exe) to register XMRig (dom.exe) as a service and perform mining in the infected system.
- Mining Pool Address: “gulf.moneroocean[.]stream:10001”
- Wallet Address: “46HmQz11t8uN84P8xgThrQXSYm434VC7hhNR8be4QrGtM1Wa4cDH2GkJ2NNXZ6Dr4bYg6phNjHKYJ1QfpZRBFYW5V6qnRJN”
- Password: “dom.[Computer Name]”
Accessing the download webpage for Hezb shows the list of malware strains mentioned above.
Attackers are recently targeting vulnerable Atlassian Confluence Servers to install malware such as CoinMiner and WebShells. System administrators should check if Confluence currently under use has a vulnerable version (Confluence 7.15.0 – 7.18.0 or Confluence 6.0.0 – Confluence 7.14.2), and update the server to the latest version to prevent attacks using previously known vulnerabilities. For public servers, it is also necessary to go through a 2-step verification and control external access via security products.
How to apply the official patch for Atlassian: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:
– CoinMiner/PowerShell.Agent (2022.07.14.02)
– Downloader/PS.Miner (2022.07.15.00)
– Trojan/Win.Generic.C5154950 (2022.06.02.02)
– Downloader/Win.MSIL.R504742 (2022.07.15.00)
– Trojan/BAT.Agent (2022.07.14.01)
– CoinMiner/BAT.Generic (2022.07.14.00)
– Unwanted/Win32.NSSM.R353938 (2020.10.27.00)
– Win-Trojan/Miner3.Exp (2019.12.11.01)
– Trojan/Win64.XMR-Miner.R226842 (2019.12.11.01)
– WebShell/JSP.Generic.S1538 (2021.06.15.03)
– WebShell/JSP.Godzilla.S1719 (2022.01.10.02)
– WebShell/JSP.Antsword.S1720 (2022.04.15.03)
– 51ac2e4df1978c3fadaf3654f0f91462 (lol.ps1)
– dbda412cf6bf74af449ecb0b3bac7aa8 (ps1-6.exe)
– 8e211d1701e0e16cd30a414f5e5a384c (payload executed from ‘InstallUtil.exe’)
– af0b85c176c7c32f0e9585b7eeaa6629 (XMRig executed from ‘AddInProcress’)
– 95b1e4700488855a86caeed05e9d69ac (wi.txt)
– eecae73b7b0e1f5994f0b2135bf3aeb6 (wi.txt)
– 9dc451c7ddd841cdbed35018000bfd34 (clean.bat)
– d268585f581dbf9cc3b0c31b26a21abb (XMRig)
– cb160e725249e2c0534eb01ec3d8e049 (kill.bat)
– f7da4506e638185af1f1b2fe30a2e9d2 (mad.bat)
– 1136efb1a46d1f2d508162387f30dc4d (dsm.exe – NSSM)
– 3edcde37dcecb1b5a70b727ea36521de (dom.exe – XMRig)
– 7ef97450e84211f9f35d45e1e6ae1481 (dom.exe – XMRig)
– 975135edeab93b0da209e6d3d1be31ee (Godzilla)
– 37aed4e14b31dbd3a6a58c6e952b9847 (Godzilla)
– 1614943098a96caa5316fa46af91b20d (Godzilla)
– c03ec827d634899fdb2b275dad39c0aa (Godzilla)
– 9592237d299256d6abb0701b17bb7002 (Godzilla)
– f1595fced1a5f9b59046f28a16b04825 (Godzilla)
– e0421b2205153aaa910e8b3b6edee13f (Godzilla)
– ba6e65718963046baa260a71f0bbfffc (Godzilla)
– f30c109fd80b66e862f1c41d05a115c9 (Godzilla)
– 1f2a56fd54f302857846e8901232c03a (AntSword)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.