web analytics

AESDDoS Botnet Malware Exploits CVE-2019-3396 to Perform Remote Code Execution, DDoS Attacks, and Cryptocurrency Mining

By Augusto II Remillano

Our honeypot sensors recently detected an AESDDoS botnet malware variant (detected by Trend Micro as Backdoor.Linux.AESDDOS.J) exploiting a server-side template injection vulnerability (CVE-2019-3396) in the Widget Connector macro in Atlassian Confluence Server, a collaboration software program used by DevOps professionals.

We discovered that this malware variant can perform DDoS attacks, remote code execution, and cryptocurrency mining on systems that run vulnerable versions of Confluence Server and Data Center. Atlassian already took steps to fix these issues and recommended that users upgrade to the latest version (6.15.1).

Version FamilyAffected VersionsFixed Versions
6.6.x6.6.0 – 6.6.116.6.12 and later
6.12.x6.7.0 – 6.12.26.12.3 and later
6.13.x6.13.0 – 6.13.26.13.3 and later
6.14.x6.14.0 – 6.14.16.14.2 and later

Table 1. Affected and fixed versions of Atlassian Confluence Server and Data Center

Examining the AESDDoS Botnet Malware Variant

In our analysis, we saw that an attacker was able to exploit CVE-2019-3396 to infect machines with the AESDDoS botnet malware. A shell command was remotely executed to download and execute a malicious shell script (Trojan.SH.LODEX.J), which in turn downloaded another shell script (Trojan.SH.DOGOLOAD.J) that finally installed the AESDDoS botnet malware on the affected system.

Figure 1. Code snippet of the abuse of CVE-2019-3396 via Trojan.SH.LODEX.J. The second line shows Trojan.SH.LODEX.J being downloaded from its C&C server while the third line shows the execution.

Figure 1. Code snippet of the abuse of CVE-2019-3396 via Trojan.SH.LODEX.J. The second line shows Trojan.SH.LODEX.J being downloaded from its C&C server while the third line shows the execution.

This AESDDoS variant is capable of launching various types of DDoS attacks, including SYN, LSYN, UDP, UDPS, and TCP flood. It also connects to 23[.]224[.]59[.]34:48080 to send and receive remote shell commands from the attacker.

Figure 2. Code snippet of the AESDDoS variant connecting to 23[.]224[.]59[.]34:48080

Figure 2. Code snippet of the AESDDoS variant connecting to 23[.]224[.]59[.]34:48080

Figure 3. Code snippet of the AESDDoS variant executing remote shell commands

Figure 3. Code snippet of the AESDDoS variant executing remote shell commands

This botnet malware variant can also perform information theft on infected systems. It can retrieve a system’s Model ID and CPU description, speed, family, model, and type.

Figure 4. Code snippet showing the AESDDoS variant stealing an affected system’s CPU information

Figure 4. Code snippet showing the AESDDoS variant stealing an affected system’s CPU information

The stolen system information, as well as the command and control (C&C) data, is encrypted using the AES algorithm. The said information can then be used with the AESDDoS variant’s cmdshell function to load cryptocurrency miners to affected machines.

Apart from the abovementioned capabilities, this AESDDoS variant also modifies files, i.e., /etc/rc.local and /etc/rc.d/rc.local, as an autostart technique by appending the {malware path}/{malware file name} reboot command.

Security Recommendations

Continuous monitoring in software development should be practiced in order to flag security risks in servers, data centers, and other computing environments. Since the successful exploitation of CVE-2019-3396 in Atlassian Confluence Server can put resources at risk, enterprises should be able to identify vulnerabilities, make use of the latest threat intelligence against malware or exploits, and detect modifications to the application’s design and the underlying infrastructure that hosts it.

Risks that can be introduced through third-party components can be uncovered and addressed by implementing automated security. To do this, organizations can look into Trend Micro™ Hybrid Cloud Security, a solution that provides powerful, streamlined, and automated security within the DevOps pipeline. This solution also delivers multiple XGen™ threat defense techniques for protecting physical, virtual, and cloud workloads.  In addition, it protects containers via Deep Security™ and Deep Security Smart Check, which help DevOps and security teams scan and ensure the security of container images during preruntime and runtime.

Indicators of Compromise (IoCs)

SHA-256

Detection Name

b14d5602c8aa16e3db4518832d567a4ca5b9545ce09f9a87684d58f8b1d9daafBackdoor.Linux.AESDDOS.J
2e4f18e28830771414c9d0cb99c1696d202fe001d1aa41f64d2f7ce6aef7f7c4Trojan.SH.LODEX.J
f82dc01b04dfbdab3ccaacd20449395e0175d9ab4f0732019651480358d44ac6Trojan.SH.DOGOLOAD.J


With additional insights and analysis by Jakub Urbanec

The post AESDDoS Botnet Malware Exploits CVE-2019-3396 to Perform Remote Code Execution, DDoS Attacks, and Cryptocurrency Mining appeared first on .