​Vulnerable Confluence Server and Data Center abused to deliver GandCrab and AESDDoS botnet

• Threat actors are leveraging vulnerable versions of Confluence Server and Data Center to perform DDoS attacks, remote code execution and cryptocurrency mining on systems.
• The AESDDoS variant is capable of launching various types of DDoS attacks including SYN, LSYN, UDP, UDPS and TCP flood.

Malicious actors have been found exploiting a vulnerability in Confluence Server and Data Center to distribute GandCrab ransomware as well as a variant of AESDDoS botnet. The vulnerability, tracked as CVE-2019-3396, exists in the Widget Connector macro component. The macro is primarily designed to allow users to embed other websites’ multimedia content into a Confluence page. But, the flaw in the macro can be used to achieve server-side template injection, path traversal and remote code execution on affected systems.

What is the purpose

According to researchers at TrendMicro, threat actors are leveraging vulnerable versions of Confluence Server and Data Center to perform DDoS attacks, remote code execution and cryptocurrency mining on systems. This is done by the infamous GandCrab ransomware and Backdoor.Linux.AESDDOS.J (a variant of AESDDoS botnet).

What are the capabilities of AESDDoS botnet variant

The AESDDoS variant is capable of launching various types of DDoS attacks including SYN, LSYN, UDP, UDPS and TCP flood. It also connects to 23[.]224[.]59[.]34:48080 to send and receive remote shell commands from the attackers.

Additionally, the malware variant is also capable of stealing system information like Model ID, CPU description, speed, and type. This stolen system information is encrypted using the AES algorithm and later used with the variant’s ‘cmdshell’ to load cryptocurrency miners to affected machines.

“Apart from the abovementioned capabilities, this AESDDoS variant also modifies files, i.e., /etc/rc.local and /etc/rc.d/rc.local, as an autostart technique by appending the {malware path}/{malware file name} reboot command,” researchers added.

How to stay safe: Continuous monitoring during the development of software should be practiced in order to flag risks in servers, data centers, and other computing environments. Enterprises are advised to patch the affected versions of Confluence server and data center with the latest security updates.