Attackers leverage Confluence Server vulnerability to spread Monero mining malware

• The malware comes packed with a rootkit that is used to hide the malicious activities of the attackers.
• The attack begins with attackers sending a command to download a shell script hosted on Pastebin.

Attackers are recently exploiting a well-known Confluence Server and Data Center vulnerability to spread a Monero mining malware. The malware comes packed with a rootkit that is used to hide the malicious activities of the attackers.

What’s the matter?

In a report, Augusto Remillano II and Robert Malagad from Trend Micro have revealed that the attackers are leveraging the vulnerability - CVE-2019-3396 - to deliver a Monero cryptocurrency miner with a rootkit component. The miner is detected as Coinminer.Linux.MALXMR.UWEJI.

How does the attack occur?

The attack begins when attackers send a command to download a shell script hosted on Pastebin. After killing some processes, the script downloads and runs the second shell script. The file in the second script drops a third shell script that is responsible for downloading a trojan dropper from the following servers:

• gwjyhs[.]com
• Img[.]sobot[.]com

What is the purpose of the rootkit?

The rootkit used in the campaign is detected as Rootkit.Linux.KERBERDS.A. Its main aim is to hide the malware from detection.

“Unlike the older rootkit that only hooks the readdir function to hide the mining process, this new version hooks more functions. It hides not only the mining process but also certain files and network traffic. It is also capable of forging the machine’s CPU usage,” researchers explained.

Bottom line

The same vulnerability has been previously used to distribute GandCrab v5.2 and a variant of AESDDoS botnet. Given the wide exploitation of the vulnerability, Atlassian has released a security update to fix the issue. Thus, users are advised to apply the patch in order to stay safe from such attacks.