Contactez-nous Suivez-nous sur Twitter En francais English Language

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Cerber ransomware hits Confluence: Cado Security dissects the three heads

April 2024 by Cado Security

Following reports of the Cerber ransomware being deployed onto servers running the Confluence application, Cado Security has today disclosed its findings of the lesser-known Linux variant by its Cado Security Labs researchers.

Cerber ransomware has been deployed in instances whereby an attacker leverages the CVE-2023-22518 exploit to gain access to Confluence. It is a recent improper authorisation vulnerability that allows an attacker to reset the Confluence application and create a new administrator account.

Summary of Cado Security Labs’ findings:
• Once an administrator account is created, it can be used to gain code execution by uploading and installing a malicious module which provides a web UI for executing arbitrary commands on the host.
• The primary payload is packed with UPX, just like the other payloads. Its main purpose is to set up the environment and grab further payloads in order to run. It then connects to the (now defunct) C2 server at 45[.]145[.]6[.]112 and pulls down the secondary payload, a log checker. The log checker payload, agttydck, likely serves as a permission checker. The purpose of this check isn’t exactly clear. It could be to check if the tmp directory is writable and that it can write, which may be a check for if the system is too locked down for the encryptor to work.
• The encryptor, agttydcb, achieves the goal of the ransomware, which is to encrypt files on the filesystem. The encryptor then spawns a new thread to do the actual encryption. The payload attempts to write a ransom note at //read-me3.txt. If it succeeds, it will walk all files in the directory and attempt to encrypt them. If it fails, it moves on to the next directory. The encryptor chooses to pick which directories to encrypt by walking the root file system
• When it has identified a file to encrypt, it opens a read-write file stream to the file and reads in the entire file. It is then encrypted in memory before it seeks to the start of the stream and writes the encrypted data, overwriting the file content, and rendering the file fully encrypted.
• Within Linux, a file is rewritten instead of making a new file and deleting the old one. This is because Linux directories may be set to append-only, preventing the outright deletion of files. Rewriting the file may also rewrite the data on the underlying storage, making recovery with advanced forensics also impossible. 
• The use of the Confluence vulnerability allows it to compromise a large amount of likely high-value systems.

See previous articles


See next articles

Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55

All new podcasts