Newly emergent threat operation LABRAT has exploited an already addressed GitLab security vulnerability in a cryptojacking
and proxyjacking campaign that also involved the utilization of stealthy malware and command-and-control tools, as well as the TryCloudflare service to conceal malicious activity, reports The Hacker News
After the exploitation of the critical GitLab remote code execution flaw, tracked as CVE-2021-22205, attackers then fetch a dropper shell script from a C2 server to establish persistence as system-based SSH credentials are leveraged to facilitate lateral movement, according to a Sysdig report.
Researchers also discovered the dropper script's retrieval of the open-source Global Socket utility to enable cryptojacking and proxyjacking through the ProxyLite and IPRoyal services, as well as a Go-based executable that terminates other mining processes in targeted systems.
"Since the goal of the LABRAT operation is financial, time is money. The longer a compromise goes undetected, the more money the attacker makes and the more it will cost the victim," said researcher Miguel Hernandez.