Cerber Linux Ransomware Exploits Atlassian Servers


Hackers often use Linux ransomware due to its prevalence in server environments. This type of ransomware offers higher potential payouts from organizations with critical data.

Cybersecurity analysts at Cado Security Labs recently analyzed the Linux variant of the Cerber ransomware, which is being deployed on Confluence servers via CVE-2023-22518, after receiving recent reports. 

Unlike the well-covered Windows version, little is known about the Linux variant.

It consists of three highly obfuscated, 64-bit UPX-packed C++ ELF payloads, an older approach as threat actors now favor languages like Rust or Go. 

Technical Analysis

The aging C++ payloads, almost 8 years old and receiving updates, suggest the original language and tooling choices persist despite Cerber’s decreasing activity since its 2016 peak. 

While infrequent nowadays, the campaign leverages the popular Confluence vulnerability for distribution.

Following an attacker’s use of CVE-2023-22518, researchers tracked Cerber ransomware cases on compromised Confluence. 

Through an unsecured configuration restore endpoint that facilitates code execution and ransomware, this new flaw enables a threat actor to generate a new administrator account.

Free Live Webinarfor DIFR/SOC Teams: Securing the Top 3 SME Cyber Attack Vectors - Register Here.

Highlighting the risk of a broad encryption capability through higher privilege access, the ransomware, by default, encrypts important data but is restricted to files owned by the “confluence” user.

Recreation of installing a web shell on a Confluence instance (Source – Cado Security)

Multiple Payloads

There are three payloads, and here below we have mentioned them:-

Primary Payload

The primary Cerber payload is a highly obfuscated, UPX-packed C++ stager that connects to 45.145.6.112 to download and unpack further components. 

It creates a lock file at /var/lock/0init-ld.lo, pulls a “log checker” (agttydck) to /tmp/agttydck.bat, executes it passing /tmp and ck.log as arguments, then fetches and drops the encrypted encryptor (agttydcb) at /tmp/agttydcb.bat. 

After agttydck finishes, the stager self-deletes if /tmp/ck.log exists.

It decodes agttydcb from the encoded file using an unknown mechanism and overwrites it as an ELF executable on disk, while still running in memory. 

The stager’s purpose is staging the environment for the more potent encryptor payload.

Log Check Payload – Agttydck

The highly obfuscated, UPX-packed C++ “log checker” payload agttydck attempts to write “success” to a file path constructed from its arguments (e.g. /tmp/ck.log). 

Its return code indicates whether the write succeeded or failed.

This likely checks file write permissions to determine if the system is too locked down for the encryptor to function properly. 

Running in a separate process from the stager may also attempt to detect sandboxes with improper file handling, preventing the stager from being alerted about the log file creation.

Overall, agttydck serves as a simple permission and potential sandbox-checking mechanism before deploying the final encrypted payload.

Encryptor – Agttydck

A highly UPX-packed C++ payload that self-deletes, creates potential debugging log files (/tmp/log.0 and /tmp/log.1), then spawns an encryption thread is the core agttydcb encryptor. 

Before opening, reading, encrypting in memory, and overwriting each file’s contents with the encrypted data plus a .L0CK3D extension, it travels through the root directory to drop ransom notes at writable directories. 

Ransom note by Cerber (Source – Cado Security)

Cerber is a ransomware that, despite being aging, is still relatively sophisticated.

It is capable of exploiting the Confluence vulnerability to infiltrate a great number of potentially high-value systems.

However, it should be noted that the data it can encrypt is typically limited to the confluence data only.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.



Source link