A malicious actor, tracked as TAC-040, exploited the Atlassian Confluence CVE-2022-26134 flaw to deploy the previously undetected Ljl Backdoor.
Cybersecurity firm Deepwatch reported that a malicious actor, tracked as TAC-040, likely exploited the CVE-2022-26134 flaw in Atlassian Confluence servers to deploy a previously undetected backdoor called Ljl Backdoor. Attackers exploited the flaw in an attack on an unnamed research and technical services organization.
The attack took place in May and lasted for seven days, analysis of network logs suggests that TAC-040 exfiltrated approximately 700MB of data from the victim system.
“ATI’s in-depth analysis determined that the attack occurred in late May over a seven-day period. TAC-040 most likely exploited a vulnerability in an Atlassian Confluence server. Evidence indicates that the threat actor executed malicious commands with a parent process of tomcat9.exe in Atlassian’s Confluence directory. reads the analysis published by Deepwatch.
Experts have also speculated that attackers could have exploited the Spring4Shell vulnerability (CVE-2022-22965) to gain initial access to the Confluence web application.
After the initial compromise, the attackers ran multiple commands to enumerate the local system, network, and Active Directory environment.
Researchers discovered the presence of an XMRig crypto-miner on the compromised system.
“The threat actor likely used a memory-based webshell or chose to run commands directly through the
exploit, because no command dropper or forensic record of a webshell on disk was recovered. Several open source reports detail similar defense/detection avoidance techniques regarding the CVE2022-26134 exploit, but technical details on these techniques are sparse. continues the report.
The Deepwatch Threat Intel team has confirmed that the ljl backdoor is a never-before-seen persistent backdoor that implements the following functionality:
- Reverse proxy.
- Asks if the victim is active or inactive.
- Exfiltrate files/directories.
- Load arbitrary and remotely downloaded .NET assemblies as “plugins”.
- Get user accounts.
- Get the foreground window and window text.
- Obtain victim system information such as CPU name, GPU name, hardware ID, bios manufacturer,
- Motherboard name, total physical memory, LAN IP address and mac address.
- Get geographical information about the victim, such as ASN, ISP, country name, country code, region name, area code, city, zip code, continent name , continent code, latitude, longitude, metro code, time zone and date and time.
Once TAC-040 achieved persistence on the target systems, it used various publicly available open-source tools cloned from GitHub, including:
- Open source tools cloned from GitHub:
- CrackMapExec: attack framework with several tools
At present, it is unknown who is behind TAC-040, experts only speculate that it functions to gather intelligence despite the discovery of the XMRig crypto-miner on the system suggests that it might be financially motivated.
The Monero address managed by the group’s threat actors has yielded at least 652 XMR (over $100,000).
“Concerning this area of activity, there are still a few unanswered questions. First, we cannot be certain of TAC040’s intentions and goals due to visibility gaps. However, it is likely that the purpose of TAC-040 was related to espionage. However, we cannot completely rule out that they were financially motivated. The Threat Intel team needs additional evidence to build confidence in this hypothesis. concludes the report.
Follow me on Twitter: @securityaffairs and Facebook
(Security cases – hack, Ljl backdoor)