September 29, 2023

Researchers have discovered a new financially motivated threat campaign designed to utilize cryptomining and proxyjacking while staying hidden using a variety of techniques.

The campaign called Labrat, in which the threat actors, compromised a targeted container via legacy GitLab remote code execution vulnerability CVE-2021-22205.

The goal is to make ransom by cryptomining and proxyjacking; the latter being attacks where threat actors rent out a compromised system to a proxy network.

The attacker chose to use undetected compiled binaries, written in Go and .NET, which allowed the attacker to hide more effectively. The attacker abused a legitimate service, TryCloudFlare, to obfuscate their C2 network.

Advertisements

To maintain persistence, the Labrat attackers use a legitimate open-source tool known as Global Socket (GSocket).

Unlike Netcat, GSocket provides features such as a custom relay or proxy network, encryption, and the ability to use TOR, making it a very capable tool for stealthy C2 communications. To remove evidence of its installation, the LABRAT attacker tried to hide the process.

The campaign is ongoing and may even be designed to go beyond proxyjacking and cryptomining, given that the backdoor used provides access to compromised systems, the research team concluded.

This research was documented by researchers from Sysdig, and detailed reports can be found in this link

Indicators of Compromise

  • ff4b30f45ec635f28801a24a175bbf7479fbcbf01131c7ff086ccd6cb64f2e8c
  • 4fd39d545d877720a86a1858d5af6ac50a432c13b83abc01ca1a59f96f6c67c0
  • 0654789ea795e18c762ddde2de3215092065c7d26fde122e04cbcdf399a43b02
  • 6fad185a92c7a718e80e6f0c4d5fa4155e21545cfe2edf03e70f21604deb89ba
  • c236b6337572217eb83dc628579bcd4cd5dfb13c35cca54757f34fb9abf3edd6
  • bee54e68d49cef7723dee09f39174245c015dd2dcf62ee8ffee6f4a156813d46
  • 7162a27a795d3ae13d0b8a6df0d7aa75fbefa74f8cb086ee46fdab0368d8ea07
  • 846ef36e262ce34203ca82ec84b95ae7bd316d162ee184845fda7b957e22b640
  • 00df3dc4fe3a1c12acf3180d097ca88e0219331ae5cb6989fa4c3262597a2aba
  • eb6a93b1a7a05b0f644426a57a54446728868bde9a531e31cfb8849a4b3c4824
  • 34dd0357f281c0a402afa8df60452f4ff4dcb68d2de162f39514ab3ece0f18f8
  • d475ed387f2960611833348ba740d44b707a913bcd088f9731337a909a854c4c
  • 96db518610ef5c4b08d454a0f931db619fa09d193ac05b10d5600d4652af6ee3
  • 519ca08cc6b08b027441cd95dcb7ee5be6f9328a24687ab770a65e9246e8d4e9
  • 06ebe58e033b9228124a0575fddd6d2fde03afceef9ae030c92cb6640e3baebf
  • 75c775c26345ddaeda2a29775263433f92e62491fdc888d8deb320970da8cd77
  • 10512112e62cd1cffee4e167651897970d7fef2c004fd784addcbcd23376ea22
  • 9f8eefd3199485b374728c8d51e700cc466f1a34b09f33a83b06775ebfb2f34a
  • 8c7891a70dba1067308c75708ada89957324927b6c9860cad9291220869efcc1
  • fc366b6b33f71cc3d5ba64551fc6c825b611045499dc8b41d2f2c70368301967
  • 234f2f1ed4a13ea98074aec5de9e760c77845e8011746e51b7397b9eac3ae808
  • 5edf76c338cba244ba54ea3380b39531b1fdda13dfe447b17d40f24affb9d2f5
Tags:

Leave a Reply

You may have missed

Google fixes fifth Zeroday bug in Chrome

September 28, 2023

OpenSea NFT suffers a Breach

September 28, 2023

WordPress Simple Membership Plugin Vulnerabilities

September 28, 2023

Jetbrains TeamCity RCE Vulnerability

September 27, 2023

Heap Buffer Overflow Bug in libwebp Library -CVE-2023-5129

September 27, 2023 2

Symantec Collaborates with Google Cloud Security AI

September 27, 2023 2
%d bloggers like this: