Malicious actors have been serving up GandCrab ransomware and a variant of AESDDoS Botnet malware by exploiting a recently patched vulnerability in two “Confluence” team collaboration products from Australia-based Atlassian.
GandCrab is a malicious encryption program that first emerged in early 2018, while the AESDDoS variant is a more versatile program capable of remote code execution, distributed denial of service (DDoS) attacks, cryptocurrency mining and information theft.
The exploited bug, CVE-2019-3396, is a critical vulnerability that was found in the Widget Connector macro component of both the Confluence Server and Data Center products. This macro is designed to allow users to embed other websites’ multimedia content into a Confluence page. But the flaw can be used to achieve server-side template injection, path traversal and remote code execution on affected systems.
This issue, along with a critical Server-Side Request Forgery (SSRF) vulnerability in the WebDAV plugin, was fixed in a March 20 security update, but companies that haven’t downloaded this latest release remain prone to the exploit.
“Proof of concept code for the vulnerability was made available in the public domain on April 10 and by the next day we were observing the first weaponized attack attempts using this new vector,” said researchers at Alert Logic, who revealed the bug’s link to a GandCrab campaign in a blog post this week.
Meanwhile, the use of CVE-2019-3396 to deliver the AESDDoS malware was separately reported today in a Trend Micro blog post authored by researcher Augusto II Remillano. There is nothing in either report suggesting that the two campaigns are involve the same adversary.
The most common GandCrab delivery mechanism is a malicious attachment, typically delivered via a phishing email. But by targeting organizations susceptible to the Confluence vulnerability, the attackers in this case don’t have to trick their targets into opening a file.
Alert Logic has theorized that the malicious actors’s choice to attack with ransomware instead of cryptominers may have been influenced by the nature of the vulnerable product, noting that users of Confluence may
be working with “valuable company information” that “may not be sufficiently backed up.”
“The attackers may be making a judgement call that the likelihood of pay-out is a sufficiently higher return than could be expected mining cryptocurrency on the host,” the blog post concludes.
According to Alert Logic, the post-exploit infection begins with an initial payload that connects to an attack-controller IP address via FTP and fetches a VM developer file that contains a Powershell script. This script checks the host machine’s architecture and, based on what it finds, pulls up another script from Pastebin, invoking it into memory. An analysis of the final payload resulted in the discovery of a Gandcrab version 5.2 sample.
In the case of ARSDDoS Botnet variant, Trend Micro found that the attackers leveraged
CVE-2019-3396 to execute a shell command that commences a sequence of shell scripts that ultimately results in the final payload. This payload is capable of launching five varieties of DDoS attacks, and steals data including a system’s Model ID and CPU description, speed family, model and type.
“The stolen system information, as well as the command and control… data, is encrypted using the AES algorithm,” reports Trend Micro’s Remillano. “[This] information can then be used with the AESDDoS variant’s cmdshell function to load cryptocurrency miners to affected machines.”