AESDDoS botnet exploits vulnerability in Atlassian’s Confluence server

Security
AESDDoS Botnet

A recently detected variant of the AESDDoS botnet is targeting a vulnerability in Atlassian’s collaborative software Confluence, Trend Micro’s security researchers have discovered.

Security experts at Trend Micro said its honeypot sensors detected an AESDDoS botnet malware variant that exploits a server-side template injection vulnerability (CVE-2019-3396) in the Widget Connector macro in Confluence server.

AESDDoS botnet malware

The malware is capable of performing DDoS attacks, remote code execution, and cryptocurrency mining on compromised systems that run the vulnerable versions of Confluence Server and Data Center.

“In our analysis, we saw that an attacker was able to exploit CVE-2019-3396 to infect machines with the AESDDoS botnet malware, security researchers said in an advisory released on Friday (April.26th) last week.”A shell command was remotely executed to download and execute a malicious shell script (Trojan.SH.LODEX.J), which in turn downloaded another shell script (Trojan.SH.DOGOLOAD.J) that finally installed the AESDDoS botnet malware on the affected system.”

The AESDDoS variant in the recent attacks is capable of launching several different types of DDoS attacks, including SYN, LSYN, UDP, UDPS, and TCP flood.

The malware can also connect to 23[.]224[.]59[.]34:48080 to send and receive remote shell commands from the attacker.

Once installed on a system, it can collect various information, including model ID and CPU description, speed, family model and type. The stolen data, as well as the command and control (C7C) data, is also encrypted using the AES algorithm.

Researchers also found out that this AESDDoS variant can modify files , i.e., /etc/rc.local and /etc/rc.d/rc.local, as an autostart technique by appending the {malware path}/{malware file name} reboot command.

6.15.1 patch

Atlassian has already fixed the vulnerability in its Confluence Software and has advised users to upgrade to the latest version 6.15.1 to protect and secure their systems from that attack.

“Since the successful exploitation of CVE-2019-3396 in Atlassian Confluence Server can put resources at risk, enterprises should be able to identify vulnerabilities, make use of the latest threat intelligence against malware or exploits, and detect modifications to the application’s design and the underlying infrastructure that hosts it,” Trend Micro said.

Related Posts

Menu