This cryptocurrency miner exploits the new Confluence remote code execution bug
Cryptojacker z0Miner is now militarizing a new Confluence vulnerability to exploit for cryptocurrency on vulnerable machines.
Trend Micro Researchers said Tuesday than cryptocurrency mining malware Now exploits a recently disclosed Atlassian Confluence remote code execution (RCE) vulnerability, which was only made public in August This year.
Track as CVE-2021-26084, the vulnerability affects Confluence server versions 6.6.0, 6.13.0, 7.4.0 and 7.12.0.
Awarded a CVSS severity score of 9.8, the critical security vulnerability is an object-graph navigation language (NGL) injection vulnerability that can be exploited to trigger RCE – and is known to be actively exploited in the wild. .
The vulnerability was reported by Benny Jacob through Atlassian’s bug bounty program.
z0Miner, a Trojan horse and cryptocurrency mining package, has been updated to leverage RCE, as well as Oracle’s WebLogic Server RCE (CVE-2020-14882), Elasticsearch RCE (CVE-2015-1427), Jenkins, and other code execution bugs in popular server software.
Once a vulnerable server has been found and the vulnerability has been used to gain remote access, the malware will deploy a set of webshells to install and run malicious files, including a .dll file disguised as a service from Hyper-V integration, as well as a scheduled task that claims to be a legitimate NGEN .NET Framework task.
The task will attempt to download and run malicious scripts from a repository on Pastebin, but for now the URL has been extracted.
These initial actions aim to maintain persistence on an infected machine. In its second stage payload deployment, z0Miner will then scan and destroy any competing cryptocurrency miners installed on the server, before launching its own – a miner that steals computing resources to generate Monero (XMR).
A patch has been released to resolve CVE-2021-26084, and as threat actors will always seek to exploit new bugs for their own purposes – Microsoft Exchange Server attacks being a prime example – vulnerable systems should always be updated with new security. fixes as quickly as possible by IT administrators.
Prior and related coverage
Do you have any advice? Contact us securely via WhatsApp | Call +447 713 025 499, or Keybase: charlie0