A recently detected variant of the AESDDoS botnet malware is targeting a recent vulnerability Atlassian’s collaborative software Confluence, Trend Micro’s security researchers have discovered.
The attack attempts to exploit a server-side template injection vulnerability (CVE-2019-3396) in the Widget Connector macro in Confluence Server to install malware capable of performing distributed denial of service (DDoS) attacks, remote code execution, and crypto-currency mining.
The attack involves the remote execution of a shell command to download and execute a malicious shell script that in turn would download another shell script to finally install the AESDDoS botnet malware on the compromised system.
The AESDDoS variant used in this attack can launch various types of DDoS attacks, including SYN, LSYN, UDP, UDPS, and TCP flood, Trend Micro’s security researchers say. Additionally, the malware can connect to a specific IP address to send and receive remote shell commands from the attacker.
Once installed on a system, the malware can collect various information and send it to the attackers, including model ID and CPU description, speed, family, model, and type. The gathered data and data received from the command and control (C&C) server is encrypted using the AES algorithm.
The security researchers also noticed that this AESDDoS variant can modify files as an autostart technique by appending the {malware path}/{malware file name} reboot command.
Atlassian has already patched the vulnerability in its Confluence software and users can update to version 6.15.1 to ensure they are protected from the attack.
“Since the successful exploitation of CVE-2019-3396 in Atlassian Confluence Server can put resources at risk, enterprises should be able to identify vulnerabilities, make use of the latest threat intelligence against malware or exploits, and detect modifications to the application’s design and the underlying infrastructure that hosts it,” Trend Micro notes.
