A sophisticated Campaign has come to light, showcasing the strategic utilization of a formerly vulnerable flaw within GitLab as a pivotal element in an intricate scheme involving both cryptojacking and proxyjacking endeavors.
Employing concealed signature-based tools to remain off the radar, the attacker leveraged a multipronged arsenal.
This included a complex cross-platform malware, fortified command-and-control (C2) tools that adeptly bypassed traditional firewalls, and the strategic implementation of kernel-rootkits to effectively veil their activities from detection mechanisms.
A notable aspect of the campaign is the use of TryCloudflare, a seemingly legitimate service, to shroud their C2 network under the veil of legitimacy.
LABRAT Campaign Employs Proxyjacking and Cryptojacking
The campaign’s strategy employs the concept of proxyjacking, which involves harnessing compromised hosts for the creation of proxy networks, thereby monetizing untapped bandwidth resources. Parallel to this, cryptojacking tactics were employed, characterized by the unauthorized utilization of computing resources for cryptocurrency mining.
A distinctive hallmark of LABRAT’s tactics lies in its exploitation of compiled binaries written in both Go and .NET languages, rendering their activities covert and difficult to detect. The campaign also opens doors to backdoor access on compromised systems, potentially culminating in cascading attacks, data breaches, or even ransomware episodes.
The modus operandi unfolds with the exploitation of a known vulnerability, CVE-2021-22205, a remote code execution vector exploited previously by Indonesian actors to deploy crypto miners. A successful breach sets the stage for the retrieval of a dropper shell script from a C2 server. This script takes charge of establishing persistence, orchestrating lateral movements via hijacked SSH credentials, and installing supplementary binaries sourced from a Concealed Gitlab Repository.
In the course of the LABRAT operation, TryCloudflare ingeniously served as a redirect tool, steering connections toward a password-protected web server hosting a malevolent shell script.
By capitalizing on the legitimate TryCloudflare infrastructure, assailants cleverly sow confusion, making it arduous for defenders to isolate subdomains as malicious, especially if the service is also used for benign purposes.
Undeniably, TryCloudflare’s role as an unwitting accomplice in this digital chess game underscores the complexities of modern-day cyber warfare. The utility, designed to establish a Cloudflare Tunnel sans the addition of a site to Cloudflare’s DNS, unwittingly emerges as a pawn in a grander, more nefarious scheme.
The implications ripple further, as this covert infrastructure serves to establish communication channels from compromised hosts, effectively rendering victim networks susceptible to infiltration.
Threat Actor Abused PwnKit for Privilege Escalation
In a tactical shift, the adversary pivoted to a different maneuver, substituting a Solr server for TryCloudflare. This facilitated the downloading of an exploit for PwnKit (CVE-2021-4034) from the same concealed GitLab repository. The goal here was to elevate privileges and secure another file, though its accessibility had been severed.
Amidst this intricate interplay of tactics, payloads emerged, each designed to further the attacker’s financial agenda. A utility known as Global Socket (gsocket) surfaced, furnishing remote access, while discrete binaries paved the way for the execution of cryptojacking and proxyjacking missions, employing recognized services like IPRoyal and ProxyLite.
Concealing the mining processes, a kernel-rootkit, aptly named hiding-cryptominers-linux-rootkit, was also used. To ensure persistence and dominance, a Go-based executable was introduced, adept at eliminating rival mining processes and earlier versions of itself, thereby maximizing resource utilization and subsequent earnings.
Undetected breaches fuel greater gains for the attacker, and amplify the costs borne by the victim. This enigmatic operation serves as a stark reminder of the evolving landscape of cyber threats, where ingenuity and exploitation go hand in hand, producing high-stakes outcomes for both attackers and victims.
