Deepwatch ATI detects and responds to never before discovered backdoor deployed using Confluence vulnerability for suspected Espionage

By Ben Nichols, Threat Detection Researcher & Eric Ford, Sr. Threat Intelligence Analyst

Estimated Reading Time: 3 minutes

Note: This post is an excerpt from a full report. To read the complete analysis, click here to download the report as a PDF.

Deepwatch’s Adversary Tactics and Intelligence group (ATI) recently responded to an incident after a suspicious tool, nb.exe (NBTscan, a tool that scans for open NETBIOS nameservers to find open shares), was observed and escalated to the victim, an organization in the research and technical services sector, by Deepwatch Squad analysts. 

Note:To track threat activity clusters observed during incident response engagements, The Deepwatch Threat Intel Team uses Threat Activity Cluster designations (TAC-###) to track similar activity across multiple engagements. The Deepwatch Threat Intel Team tracks the activity covered in this report as TAC-040.

ATI’s thorough analysis determined that the attack occurred during the end of May over a seven day period. TAC-040 highly likely exploited a vulnerability in an Atlassian Confluence server. The evidence indicates that the threat actor executed malicious commands with a parent process of tomcat9.exe in Atlassian’s Confluence directory.

After the initial compromise, the threat actor ran various commands to enumerate the local system, network, and Active Directory environment. Additionally, the threat actors used RAR and 7zip to archive files and folders from multiple directories, including registry hives. Network logs suggest TAC-040 exfiltrated around 700MBs of archived data before the victim took the server offline.

Furthermore, they dropped a never-before-seen backdoor, dubbed “Ljl Backdoor”, onto the compromised server. You can read Deepwatch’s complete analysis with associated observables of this file in Part 2 of this threat report

During ATI’s investigation of this incident, an XMRig crypto-miner was observed in the forensic artifacts. Deepwatch assesses that the XMRig related artifacts could be the result of multiple threat actors based on known threat actor activity related to cryptominers. Deepwatch’s technical analysis of this loader with associated observables can be read in Part 3 of this threat report.

Key Findings

  • CVE-2022-26134 was highly likely exploited to gain initial access
  • TAC-040 cloned numerous tools from GitHub; one tool, CrackMapExec, serves as an attack framework that contains multiple tools
  • TAC-040 has the capability to create or access custom, never-before-seen malware
  • It is likely that TAC-040’s goal was espionage-related. However, we can not completely rule out that they were financially motivated
  • Organizations that conduct research in healthcare, education, international development, and environmental and agriculture, as well as provide technical services are likely targets of this threat actor

Note About Estimative Language: To convey the possibility or probability of our hypothesis, the Deepwatch Threat Intel Team employs probabilistic language in our assessments. Because analytical assessments are not certain, we use terms to denote that our hypothesis has a lower or greater than even chance of possibility or probability. 

For instance, terms like unlikely, improbable, highly likely, or highly improbable denote that our hypothesis has a lower than even chance of possibility or probability. Likewise, words like likely, probable, highly likely, or highly probable indicate that our hypothesis has a higher than even chance of possibility or probability. 

Moreover, a “roughly even chance” denotes that our hypothesis has a roughly 50% possibility or likelihood of occurring. In addition, terms such as “might,” “could,” or “may” reflect situations in which we are unable to assess the likelihood, generally because relevant information is unavailable, sketchy, or fragmented.

Note About Analytic Assurance: Weighing the following factors allows us to assign our assessments and estimates with high, moderate, or low levels of assurance: the complexity of the analytical task; the robustness, number, and applicability of analytic techniques employed, and the degree to which the results coincide; overall source reliability; the degree of corroboration and agreement amongst sources if multiple sources were available; analyst collaboration, expertise, and experience on the subject matter or topic; and finally, we account for any time pressures and deadlines faced by the analyst.

Note: This post is an excerpt from a full report. To read the complete analysis, click here to download the report as a PDF.

Download Report


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog