Threat Research

Crypto-Miners Leveraging Atlassian Zero-Day Vulnerability – Check Point Blog

Securonix

Two security researchers describe how crypto-mining operations leveraged Atlassian Confluence zero-day CVE-2022-26134 to drop and execute mining payloads on Linux and Windows hosts, using a multi-stage chain from initial exploitation to persistence and lateral movement. The operation ties to the 8220 gang, uses a.oracleservice.top as a C2 domain, and funds miners with Monero wallets observed in the infection flow. #CVE-2022-26134 #AtlassianConfluence #OGNL #8220gang #a.oracleservice.top #XMRig #Monero #dbused

Keypoints

  • The Atlassian Confluence/ Data Center vulnerability CVE-2022-26134 can allow unauthenticated code execution via crafted HTTP requests that inject OGNL expressions.
  • Exploitation activity began with scanning and then progressed to delivering payloads that download and execute malware on targeted systems.
  • Linux infections drop a bash script (xms) that uninstalls agents, persists via cron, tests network reachability, and downloads a UPX-packed ELF crypto miner (dbused) from multiple remote IPs.
  • The Windows campaign uses a PowerShell-based, fileless technique (lol.ps1) to download and execute a miner, spawning InstallUtil.exe and AddInProcess.exe as part of a multi-process chain.
  • The attack chain includes SSH key discovery for lateral movement and repeated C2 communications, with a crypto miner exhausting system resources and exposing a Monero wallet.
  • Indicators of compromise include multiple IPs, a.oracleservice.top, several file hashes, and the Monero wallet address associated with the operation.
  • Check Point highlights protections and the attribution to the 8220 gang, with specific IOAs like the Atlassian RCE signature and XMRig anti-bot signal.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The vulnerability in Confluence is used via crafted HTTP requests to trigger code execution. Quote: “The vulnerability in the Atlassian Confluence and Data Center, designated as CVE-2022-26134, may lead to an unauthenticated Object-Graph Navigation Language (OGNL) expression injection attack.”
  • [T1027] Obfuscated/Compressed Files and Information – Base64 payloads are encoded and decoded across steps. Quote: “The base64 string decodes into another base64 encoded string.”
  • [T1053.005] Cron – The xms dropper adds itself to cron jobs to persist after reboot. Quote: “uninstalls running agents from the victim’s machine and adds itself to cron jobs to maintain persistence upon reboot.”
  • [T1059.001] PowerShell – Windows chain uses PowerShell to download and execute payloads (fileless). Quote: “The attacker utilized the Atlassian vulnerability to execute a PowerShell download cradle to initiate a fileless attack from a remote C&C server.”
  • [T1047] Windows Management Instrumentation – The malware uses WMI to verify architecture requirements. Quote: “using wmi to check whether it matches its requirements.”
  • [T1105] Ingress Tool Transfer – The malware downloads executables (dbused, y etc.) from remote servers. Quote: “The elf file is a crypto miner that exhausts the victim machine’s resources.”
  • [T1218.011] Signed Binary Proxy Execution: InstallUtil – InstallUtil.exe is spawned to run the miner as a child process. Quote: “The InstallUtil.exe in turn spawns another child process, AddInProcess.exe, which is the crypto miner.”
  • [T1059.001] PowerShell (repeat) – The lol.ps1 script demonstrates PowerShell-based memory process injection. Quote: “The lol.ps1 script is injected to a PowerShell memory process.”
  • [T1021.004] SSH – The malware searches for SSH keys and attempts to connect to other hosts. Quote: “In an attempt to spread to other machines, the script searches for ssh keys and tries to connect.”
  • [T1496] Resource Hijacking – The crypto miner runs to exhaust system resources. Quote: “The crypto miner now runs on the machine and exhausts all the system’s resources.”

Indicators of Compromise

  • [IP] context – 198.251.86.46, 51.79.175.139, and other IPs observed (167.114.114.169, 146.59.198.38, 51.255.171.23)
  • [Domain] context – a.oracleservice.top
  • [Hash] context – d2bae17920768883ff8ac9a8516f9708967f6c6afe2aa6da0241abf8da32456e, 2622f6651e6eb01fc282565ccbd72caba9844d941b9d1c6e6046f68fc873d5e0, 4e48080f37debd76af54a3231ecaf3aa254a008fae1253cdccfcc36640f955d9, 4b8be1d23644f8cd5ea22fa4f70ee7213d56e3d73cbe1d0cc3c8e5dfafe753e0
  • [Wallet] context – Monero Wallet: 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ
  • [Domain/Service] context – a.oracleservice.top used as C2 domain; other IOCs include a set of files and components (xms, dbused, checkit2, etc.)

Read more: https://blog.checkpoint.com/2022/06/09/crypto-miners-leveraging-atlassian-zero-day-vulnerability/