Threat Research

“Stealthy Threats: Godzilla Fileless Backdoors Exploiting Atlassian Confluence”

TrendMicro

Trend Micro identified CVE-2023-22527 being exploited in older Atlassian Confluence versions to deploy an in-memory, fileless backdoor called the Godzilla webshell. The malware uses AES encryption for communications to evade detection and loads after exploiting the vulnerability. #Godzilla #CVE-2023-22527 #AtlassianConfluence #Tomcat #MemGodValueShell

Keypoints

  • Trend Micro identified exploitation of CVE-2023-22527 via a fileless backdoor named Godzilla.
  • The vulnerability enables unauthenticated remote code execution on affected Atlassian Confluence servers.
  • Godzilla webshell uses AES encryption for communication, evading detection by legacy antivirus solutions.
  • Atlassian released a security advisory for CVE-2023-22527 on January 16, 2024.
  • The attack involves a loader that activates the Godzilla webshell after exploiting the vulnerability.
  • Godzilla was developed to avoid detection during red team operations and has a low static detection rate.
  • Organizations are urged to patch servers and adopt advanced security measures to mitigate risks.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploitation of CVE-2023-22527 to gain initial access. “Exploitation of CVE-2023-22527 to gain initial access.”
  • [T1059.004] Command and Scripting Interpreter: Unix Shell – Execution of commands through the webshell. “Execution of commands through the webshell.”
  • [T1027.013] Obfuscated Files or Information: Encrypted/Encoded File – Use of AES encryption for communication. “Use of AES encryption for communication.”
  • [T1620] Reflective Code Loading – Dynamic loading of classes in memory. “Dynamic loading of classes in memory.”
  • [T1027.009] Obfuscated Files or Information: Embedded Payloads – Embedding of malicious payloads within the webshell. “Embedding of malicious payloads within the webshell.”
  • [T1055.003] Process Injection: Thread Execution Hijacking – Injection of the webshell into existing processes. “Injection of the webshell into existing processes.”
  • [T1140] Deobfuscate/Decode Files or Information – Decoding of Base64 encoded payloads. “Decoding of Base64 encoded payloads.”
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – Use of symmetric encryption for command and control communications. “Use of symmetric encryption for command and control communications.”
  • [T1505.003] Server Software Component: Web Shell – Deployment of the Godzilla webshell for persistent access. “Deployment of the Godzilla webshell for persistent access.”
  • [T1048.001] Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol – Potential exfiltration of data using encrypted channels. “Potential exfiltration of data using encrypted channels.”

Indicators of Compromise

  • [Hash] Context: IOCs listed in article – dfeccdc0c1d28f1afd64a7bb328754d07eead10c – TROJ_FRS.VSNTH724, 2cb94ce0b147303b7beb91f034d0dc7fa734dbcb – Backdoor.JS.WEBSHELL.VSNW08H24

Read more: https://www.trendmicro.com/en_us/research/24/h/godzilla-fileless-backdoors.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint