Cases of Attacks Targeting Vulnerable Atlassian Confluence Servers – ASEC BLOG

The ASEC analysis team has been monitoring attacks that are targeting vulnerable systems. This post will discuss cases of attacks targeting vulnerable Atlassian Confluence Servers that are not patched.

Atlassian’s Confluence is a major collaboration platform used by many companies across the globe. Being a web-based platform, services such as managing projects and collaboration are mainly provided by Confluence Servers (or Confluence Data Centers). As it is a solution used by many companies, many vulnerabilities targeting vulnerable Confluence Servers and Data Centers have been continuously discovered, with attackers targeting systems that are not patched.

The major attack cases are CVE-2021-26084 and CVE-2022-26134. They are remote code execution vulnerabilities used by attackers to target vulnerable systems that are not updated. If the attack succeeds, an attacker can install WebShell or malware to gain control of the infected system.

Attackers can check vulnerable systems through scanning, and they can also use search engines that can search servers connected to the Internet such as Shodan.

Figure 1. Vulnerable Korean servers which can be found in Shodan (Confluence version: 7.14.1 and 6.15.6)

The post will list various attack cases such as CoinMiners installed by exploiting Atlassian Confluence Server vulnerabilities and WebShells installed to maintain persistence by the attackers.

Godzilla WebShell Attack Case

WebShell is a file that is uploaded to a web server and runs file navigation or system shell commands. Once it is installed in a system, an attacker can control the infected system while maintaining persistence. According to the Volexity blog on a discovery of CVE-2022-26134 vulnerability, the attacker installed a WebShell on a vulnerable Confluence Server to maintain persistence after a vulnerability attack. AhnLab’s ASD log also shows how multiple WebShells are being created in vulnerable Atlassian Confluence Server environments. Most of the WebShells used for the recent attacks are Godzilla JSP WebShells as shown below.

Figure 2. Godzilla JSP WebShell used for attacks

The “pass” from the JSP script shown above indicates “Password” that the attacker designated from Figure 3, used as an argument for the WebShell communication process. The “xc” is the MD5 hash value (first 16 characters) of the “Key” string designated by the attacker. It is used as an AES key during encrypting and decrypting packets.

Figure 3. Creating Godzilla WebShell

Godzilla uses the dynamic class loading method. To do so, the attacker sends a malicious payload to the Java environment infected with a WebShell. It is the data encrypted with the AES key value designated in Figure 2. The WebShell decrypts the data to load a malicious Java class that can perform malicious behaviors by receiving commands from the attacker.

Figure 4. Example of Godzilla communications

If the above procedure succeeds, the attacker can obtain the information of the infected system or send malicious commands from the panel shown below.

Figure 5. C&C panel for sending commands to Godzilla WebShell

The Godzilla WebShell type mentioned above can be found in multiple vulnerable Atlassian Confluence Servers, with a single system possibly containing a number of Godzilla WebShells. The following is a list of paths where WebShells presumably created from Atlassian Confluence vulnerabilities are installed.

%ProgramFiles%atlassianconfluenceconfluence504page.jsp
%ProgramFiles%atlassianconfluenceconfluenceabout500page.jsp
%ProgramFiles%atlassianconfluenceconfluencehavefun.jsp
%ProgramFiles%atlassianconfluenceconfluenceincludesjsamdshimempty.jsp
%ProgramFiles%atlassianconfluenceconfluenceumamgu.jsp
%ProgramFiles%atlassianconfluencetestant.jsp
%ProgramFiles%atlassianconfluencevmgjglsg.jsp
%SystemDrive%atlassianconfluenceconfluence504page.jsp
%SystemDrive%atlassianconfluenceconfluenceaboutabout.jsp
%SystemDrive%atlassianconfluenceconfluencehavefun.jsp
%SystemDrive%atlassianconfluenceconfluencepagesincludesclasslog.jsp
%SystemDrive%atlassianconfluenceconfluencescript.jsp
%SystemDrive%atlassianconfluencewtoojcaj.jsp
d:atlassianconfluenceconfluence504page.jsp
d:atlassianconfluenceconfluenceaa.vbs
d:atlassianconfluenceconfluencehave.txt
d:atlassianconfluenceconfluencejspath.jsp
d:atlassianconfluenceconfluencetemplateauisubmiti.jsp
e:atlassianconfluenceconfluenceincludesjsamdshimempty.jsp
e:atlassianconfluenceconfluencescript.jsp
e:atlassianconfluencehavefun.jsp
e:atlassianconfluenceyvjlqmmr.jsp
Table 1. WebShell installation path found in vulnerable systems of various companies

8220 Gang Miner Distribution Case

‘8220 Gang‘ is an attack group targeting vulnerable Windows and Linux-based servers using the CVE-2022-26134 vulnerability. If the vulnerability attack succeeds, the group ultimately installs Monero CoinMiner (XMRig). It was recently discovered that the group is also targeting Korean servers.

This group has been active since 2017 and is recently known to use the wallet address [1]“46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ” for mining XMRig.

If the CVE-2022-26134 vulnerability attack succeds, additional powershell scripts are downloaded and executed with the following powershell command.

Figure 6. Powershell command discovered from AhnLab log

The script also acts as a downloader, installing the ‘ps1-6.exe’ malware from a certain URL.

Figure 7. lol.ps1 script downloaded by the powershell command

‘ps1-6.exe’ downloads additional payloads into the memory from the URL below and dynamically loads them. The payloads loaded through the process becomes an injector that performs process hollowing to the normal process ‘InstallUtil.exe’.

Figure 8. ps1-6.exe downloaded by powershell script

The payload injected into InstallUtil.exe also performs downloading and injection. The ultimate payload is downloaded from 185.157.160[.]214:8080. After then, XMRig CoinMiner is injected into the normal process ‘AddInProcess.exe’.

Figure 9. Ultimate process tree (AddInProcess.exe is Miner)

Settings information needed for mining such as the mining pool address and the wallet address is run as an argument when the injector (InstallUtil.exe) runs ‘AddInProcress.exe’ as in Figure 10.

Figure 10. Argument of the normal process (AddInProcress.exe) with XMRig
  • Mining Pool Address: “51.79.175[.]139:8080”
  • Wallet Address: “46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ”
  • Password: “x”

z0Miner Attack Case

z0miner is a CoinMiner distributed using various vulnerabilities such as CVE-2021-26084[2][3]. The Figure 11 shows AhnLab’s ASD log of z0miner being installed through powershell in a vulnerable Atlassian Confluence Server.

Figure 11. z0miner installation log

wi.txt is a powershell script that removes previously known Miners. It forcibly terminates them by searching based on programs registered to Task Scheduler, the command lines of currently running processes, port numbers in use, and process names.

Figure 12. Script for installing z0miner

It then installs XMRig Miner from the URL shown below. The settings data such as mining pool and the wallet address are saved in config.json. XMRig operates under the name of javae.exe in the %TEMP% path.

Figure 13. Viewing other Miners and forcibly terminating them
  • Mining Pool Address: “pool.supportxmr[.]com:80”
  • Wallet Address: “44Lu9jhKUuTVcSwGL1jLU6MKyFVNewBdL5mT13fjxLhFTSa5i6E5hMrAv1SmH16NYvc51GY6RnvQSKM4CDFFRov68aRFgYi”
  • Password: “x”

Hezb CoinMiner Attack Case

An attempt to install Hezb CoinMiner on vulnerable Atlassian Confluence Servers was discovered in early June of 2022. Hezb is a CoinMiner recently distributed through the CVE-2022-26134 vulnerability.[4] The figure below shows a log of powershell run by the Tomcat process installing Hezb. kill.bat is the initial batch malware used for Hezb attacks.

Figure 14. Attempt to install Hezb

kill.bat disables real-time scan of Windows Defender and downloads and runs mad.bat that installs actual Hezb.

Figure 15. kill.bat used for attacks

mad.bat is a malware that installs actual CoinMiner. It uses NSSM (dsm.exe) to register XMRig (dom.exe) as a service and perform mining in the infected system.

Figure 16. XMRig Miner operation after registered as a service
  • Mining Pool Address: “gulf.moneroocean[.]stream:10001”
  • Wallet Address: “46HmQz11t8uN84P8xgThrQXSYm434VC7hhNR8be4QrGtM1Wa4cDH2GkJ2NNXZ6Dr4bYg6phNjHKYJ1QfpZRBFYW5V6qnRJN”
  • Password: “dom.[Computer Name]”

Accessing the download webpage for Hezb shows the list of malware strains mentioned above.

Figure 17. Webpage for downloading Hezb

Attackers are recently targeting vulnerable Atlassian Confluence Servers to install malware such as CoinMiner and WebShells. System administrators should check if Confluence currently under use has a vulnerable version (Confluence 7.15.0 – 7.18.0 or Confluence 6.0.0 – Confluence 7.14.2), and update the server to the latest version to prevent attacks using previously known vulnerabilities. For public servers, it is also necessary to go through a 2-step verification and control external access via security products.

How to apply the official patch for Atlassian: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:

[File Detection]
– CoinMiner/PowerShell.Agent (2022.07.14.02)
– Downloader/PS.Miner (2022.07.15.00)
– Trojan/Win.Generic.C5154950 (2022.06.02.02)
– Downloader/Win.MSIL.R504742 (2022.07.15.00)
– Trojan/BAT.Agent (2022.07.14.01)
– CoinMiner/BAT.Generic (2022.07.14.00)
– Unwanted/Win32.NSSM.R353938 (2020.10.27.00)
– Win-Trojan/Miner3.Exp (2019.12.11.01)
– Trojan/Win64.XMR-Miner.R226842 (2019.12.11.01)
– WebShell/JSP.Generic.S1538 (2021.06.15.03)
– WebShell/JSP.Godzilla.S1719 (2022.01.10.02)
– WebShell/JSP.Antsword.S1720 (2022.04.15.03)

[Behavior Detection]
– Execution/MDP.Powershell.M1185

[IOC]
MD5
8220 Gang

– 51ac2e4df1978c3fadaf3654f0f91462 (lol.ps1)
– dbda412cf6bf74af449ecb0b3bac7aa8 (ps1-6.exe)
– 8e211d1701e0e16cd30a414f5e5a384c (payload executed from ‘InstallUtil.exe’)
– af0b85c176c7c32f0e9585b7eeaa6629 (XMRig executed from ‘AddInProcress’)

z0miner
– 95b1e4700488855a86caeed05e9d69ac (wi.txt)
– eecae73b7b0e1f5994f0b2135bf3aeb6 (wi.txt)
– 9dc451c7ddd841cdbed35018000bfd34 (clean.bat)
– d268585f581dbf9cc3b0c31b26a21abb (XMRig)

Hezb
– cb160e725249e2c0534eb01ec3d8e049 (kill.bat)
– f7da4506e638185af1f1b2fe30a2e9d2 (mad.bat)
– 1136efb1a46d1f2d508162387f30dc4d (dsm.exe – NSSM)
– 3edcde37dcecb1b5a70b727ea36521de (dom.exe – XMRig)
– 7ef97450e84211f9f35d45e1e6ae1481 (dom.exe – XMRig)

WebShell
– 975135edeab93b0da209e6d3d1be31ee (Godzilla)
– 37aed4e14b31dbd3a6a58c6e952b9847 (Godzilla)
– 1614943098a96caa5316fa46af91b20d (Godzilla)
– c03ec827d634899fdb2b275dad39c0aa (Godzilla)
– 9592237d299256d6abb0701b17bb7002 (Godzilla)
– f1595fced1a5f9b59046f28a16b04825 (Godzilla)
– e0421b2205153aaa910e8b3b6edee13f (Godzilla)
– ba6e65718963046baa260a71f0bbfffc (Godzilla)
– f30c109fd80b66e862f1c41d05a115c9 (Godzilla)
– 1f2a56fd54f302857846e8901232c03a (AntSword)

Download URL
8220 Gang
– hxxp://89.34.27[.]167/lol.ps1
– hxxp://95.142.47[.]77/ps1-6.exe
– hxxp://95.142.47[.]77/ps1-6_Jweozaou.jpg
– 185.157.160[.]214:8080
– 51.79.175[.]139:8080

z0miner
– hxxp://27.1.1[.]34:8080/docs/s/wi.txt
– hxxp://27.1.1[.]34:8080/docs/xmrig.exe
– hxxp://27.1.1[.]34:8080/docs/s/config.json
– hxxp://27.1.1[.]34:8080/examples/clean.bat

Hezb
– hxxp://202.28.229[.]174/win/mad.bat
– hxxp://202.28.229[.]174/win/kill.bat
– hxxp://202.28.229[.]174/win/dom.zip
– hxxp://202.28.229[.]174/win/dom-6.zip

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/36820/