Crypto-Miners Leveraging Atlassian Zero-Day Vulnerability


Last week, Atlassian warned of a critical unpatched remote code execution vulnerability affecting all Confluence Server and Data Center supported versions, tracked as CVE-2022-26134, that is being actively exploited in attacks in the wild.

Creative DApp Examples Across Different Industries

Atlassian has been made aware of the current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. Further details about the vulnerability are being withheld until a fix is available.” reads the advisory published by the company.

Check Point Research (CPR) researchers observed a lot of exploitation attempts after the disclosure of the RCE, some of the malicious payloads employed in the attacks were used as part of the same campaign conducted by the same threat actor tracked by the security firm as 8220 gang.

The attacks were aimed at both Linux and Windows operating systems using different infection chains.

In attacks against Linux systems, the attackers exploited the flaw by sending a crafted HTTP request to the victim:

In attacks against Windows systems, the threat actors exploited the flaw to execute a PowerShell download cradle to initiate a fileless attack from a remote C&C server.

Also Read: Linux version of Black Basta ransomware encrypts VMware ESXi servers

In the Linux attack chain, the payload fetches a malware dropper script and achieves persistence via cron jobs. In the Windows attack chain, the checkit2.exe process spawns a child process (InstallUtil.exe) which connects to the C2 server.

The InstallUtil.exe process running on the system.

The malware downloads a new copy of itself, with a new name, to the Start Menu folder.

The crypto-miner now runs on the machine and exhausts all the system’s resources:

Both attack scenarios start with an initial crafted HTTP request exploiting the CVE-2022-26134 vulnerability. The attacker executes commands using the Java execution function to download a malicious payload to the victim’s machine.

Also Read: Black Basta Ransomware operators leverage QBot for lateral movements

Threat Actors

The a[.] domain and the crypto wallet we extracted from the system are related to a cybercriminal group called the “8220 gang”.












Monero Wallet:



Previous articleNew SVCReady malware loads from Word doc properties – Detection & Response
Next articleLyceum APT group new .NET-based DNS backdoor – Detection & Response
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.


Please enter your comment!
Please enter your name here