The z0Miner cryptojacker is now weaponizing a new Confluence vulnerability to mine for cryptocurrency on vulnerable machines. 

Security

• 8 habits of highly secure remote workers
• How to find and remove spyware from your phone
• The best VPN services: How do the top 5 compare?
• How to find out if you are involved in a data breach -- and what to do next

Trend Micro researchers said on Tuesday that the cryptocurrency mining malware is now exploiting a recently-disclosed Atlassian Confluence remote code execution (RCE) vulnerability, which was only made public in August this year. 

Tracked as CVE-2021-26084, the vulnerability impacts Confluence server versions 6.6.0, 6.13.0, 7.4.0, and 7.12.0. 

Issued a CVSS severity score of 9.8, the critical security flaw is an Object-Graph Navigation Language (ONGL) injection vulnerability that can be exploited to trigger RCE -- and is known to be actively exploited in the wild. 

The vulnerability was reported by Benny Jacob through Atlassian's bug bounty program.

z0Miner, a Trojan and cryptocurrency mining bundle, has been updated to exploit the RCE, as well as Oracle's WebLogic Server RCE (CVE-2020-14882) an ElasticSearch RCE (CVE-2015-1427), Jenkins, and other code execution bugs in popular server software.  

Once a vulnerable server has been found and the vulnerability has been used to obtain remote access, the malware will deploy a set of webshells to install and execute malicious files, including a .dll file disguised as a Hyper-V integration service, as well as a scheduled task that pretends to be a legitimate .NET Framework NGEN task. 

The task will attempt to download and execute malicious scripts from a repository on Pastebin, but as of now, the URL has been pulled. 

These initial actions are aimed at maintaining persistence on an infected machine. In its second-stage payload deployment, z0Miner will then scan and destroy any competing cryptocurrency miners installed on the server, before launching its own -- a miner that steals computing resources to generate Monero (XMR).

A patch has been released to resolve CVE-2021-26084, and as threat actors will always seek to exploit new bugs for their own ends -- the Microsoft Exchange Server attacks being a prime example -- vulnerable systems should always be updated with new security fixes as quickly as possible by IT administrators.

Previous and related coverage

• 170 Android cryptocurrency mining scam apps steal$350 000 from users
  
• Does cybercrime impact cryptocurrency prices? Researchers find out
  
• Thousands of PS4s seized in Ukraine in illegal cryptocurrency mining sting
  

Have a tip?Get in touch securely via WhatsApp Signal at +447713 025 499, or over at Keybase: charlie0