Threat Research

Cases of Attacks Targeting Vulnerable Atlassian Confluence Servers – ASEC BLOG

Securonix

The ASEC analysis tracks attacks against vulnerable Atlassian Confluence Servers exploiting CVE-2021-26084 and CVE-2022-26134, leading to WebShell deployment and coin-mining payloads on unpatched systems. Multiple threat actors and malware families—such as 8220 Gang, z0miner, and Hezb—are documented, employing PowerShell, process injection, and service manipulation to persist and mine cryptocurrency. hashtags: #CVE-2021-26084 #CVE-2022-26134 #GodzillaJSP #WebShell #8220Gang #z0miner #Hezb #XMRig #Monero #Confluence

Keypoints

  • Attacks target vulnerable Confluence Servers (versions affected) through CVE-2021-26084 and CVE-2022-26134, enabling remote code execution and post-exploit WebShell deployment.
  • Attackers use Shodan and other scanners to locate exposed Confluence Servers and initiate exploitation.
  • Godzilla JSP WebShells are used to maintain persistence and enable remote command execution, with dynamic Java class loading and AES-encrypted payloads.
  • 8220 Gang Miner distribution uses PowerShell to download payloads, inject into InstallUtil.exe, and ultimately run XMRig as a cryptocurrency miner with specified pool and wallet settings.
  • z0miner ransomware-like activity deploys XMRig miner via PowerShell, replacing or terminating other miners with dedicated scripts.
  • Hezb Miner chain uses kill.bat to disable defenders, then downloads and runs mad.bat to install NSSM-managed XMRig, including mining configuration data.
  • Administrators are advised to patch Confluence to the latest version and enforce access controls for public servers to prevent known-vulnerability exploitation.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The major attack cases are CVE-2021-26084 and CVE-2022-26134. They are remote code execution vulnerabilities used by attackers to target vulnerable systems that are not updated. “The major attack cases are CVE-2021-26084 and CVE-2022-26134. They are remote code execution vulnerabilities used by attackers to target vulnerable systems that are not updated.”
  • [T1059.001] PowerShell – The script download/execution chain uses PowerShell to fetch and run payloads. “The script also acts as a downloader, installing the ‘ps1-6.exe’ malware from a certain URL.”
  • [T1059.007] Java – Dynamic code loading via Java environment: “dynamic class loading method. To do so, the attacker sends a malicious payload to the Java environment infected with a WebShell.”
  • [T1027] Obfuscated/Encrypted Files and Information – AES-encrypted payloads and key exchange used to protect commands. “The data encrypted with the AES key value designated in Figure 2. The WebShell decrypts the data to load a malicious Java class”
  • [T1055] Process Injection – Injecting payloads into InstallUtil.exe to perform malicious actions. “the payload injected into InstallUtil.exe also performs downloading and injection.”
  • [T1543.003] Create/Modify System Process: Windows Service – NSSM is used to register XMRig as a service. “NSSM (dsm.exe) to register XMRig (dom.exe) as a service”
  • [T1496] Resource Hijacking – CoinMiner activities (XMRig) aimed at mining cryptocurrency. “XMRig CoinMiner is injected into the normal process”
  • [T1053.005] Windows Task Scheduling – The wi.txt script removes competing miners by interacting with Task Scheduler. “wi.txt is a powershell script that removes previously known Miners… by searching based on programs registered to Task Scheduler”
  • [T1505] Server Software Component – Web Shells installed on Confluence servers for persistence. “Godzilla JSP WebShells… installed on vulnerable Confluence Server environments”
  • [T1105] Ingress Tool Transfer – Downloader behavior to fetch additional payloads. “The script also acts as a downloader, installing the ‘ps1-6.exe’ malware from a certain URL.”

Indicators of Compromise

  • [MD5] – 51ac2e4df1978c3fadaf3654f0f91462, dbda412cf6bf74af449ecb0b3bac7aa8, 8e211d1701e0e16cd30a414f5e5a384c, af0b85c176c7c32f0e9585b7eeaa6629
  • [IP/Domain] – 185.157.160.214:8080, 51.79.175.139:8080, gulf.moneroocean.stream:10001, pool.supportxmr.com:80
  • [URL] – hxxp://89.34.27[.]167/lol.ps1, hxxp://95.142.47[.]77/ps1-6.exe, hxxp://95.142.47[.]77/ps1-6_Jweozaou.jpg
  • [Wallet Address] – 46HmQz11t8uN84P8xgThrQXSYm434VC7hhNR8be4QrGtM1Wa4cDH2GkJ2NNXZ6Dr4bYg6phNjHKYJ1QfpZRBFYW5V6qnRJN
  • [Wallet Address] – 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ
  • [Process/File] – AddInProcess.exe, javae.exe, dom.exe, lol.ps1, ps1-6.exe

Read more: https://asec.ahnlab.com/en/36820/