Mysterious threat actor TAC-040 used previously undetected Ljl Backdoor

A threat actor, tracked as TAC-040, exploited Atlassian Confluence flaw CVE-2022-26134 to deploy previously undetected Ljl Backdoor.

Cybersecurity firm Deepwatch reported that a threat actor, tracked as TAC-040, has likely exploited the CVE-2022-26134 flaw in Atlassian Confluence servers to deploy a previously undetected backdoor dubbed Ljl Backdoor. The attackers exploited the flaw in an attack against an unnamed organization in the research and technical services sector.

The attack took place in May and lasted seven days, the analysis of the network logs suggests TAC-040 exfiltrated around 700MBs of data from the victim system.

“ATI’s thorough analysis determined that the attack occurred during the end of May over a seven day period. TAC-040 highly likely exploited a vulnerability in an Atlassian Confluence server. The evidence indicates that the threat actor executed malicious commands with a parent process of tomcat9.exe in Atlassian’s Confluence directory.” reads the analysis published by Deepwatch.

Experts also speculated attackers could have alternatively exploited the Spring4Shell vulnerability (CVE-2022-22965) to gain initial access to the Confluence web application.

After the initial compromise, the attackers ran multiple commands to enumerate the local system, network, and Active Directory environment.

The researchers discovered the presence of an XMRig crypto-miner on the compromised system. 

“The threat actor likely utilized a memory-based webshell or opted to run commands directly through the
exploit, as no dropper commands or forensic records of an on-disk webshell were recovered. Several opensource reports detail similar defense/detection avoidance techniques concerning the exploitation of CVE2022-26134, but technical details on these techniques are sparse.” continues the report.

The Deepwatch Threat Intel Team confirmed that the ljl Backdoor is a never-before-seen and persistent backdoor which implements the following capabilities:

• Reverse Proxy.
• Query whether the victim is active or idle.
• Exfiltrate files/directories.
• Load arbitrary and remotely downloaded .NET assemblies as “plugins.”
• Get user accounts.
• Get the foreground window and window text.
• Get victim system information, such as CPU name, GPU name, hardware id, bios manufacturer,
• Mainboard name, total physical memory, LAN IP address, and mac address.
• Get victim geographic information, such as ASN, ISP, country name, country code, region name, region code, city, postal code, continent name, continent code, latitude, longitude, metro code, time zone, and date and time.

Once TAC-040 achieved persistence on the target systems, it employed various publicly available open-source tools cloned from GitHub including:

• Open-source tools cloned from GitHub:
• NetRipper
• PowerSploit
• Invoke-Vnc
• CME-PowerShell-Scripts
• CrackMapExec: attack framework with multiple tools
• Invoke-Obfuscation
• SessionGopher
• mimipenguin
• mimikittenz
• RID_Hijacking
• RandomPS-Scripts

At this time, it is unclear who is behind the TAC-040, experts only speculate that it operates to gather intelligence despite the discovery of XMRig crypto miner on the system suggests it could be financially motivated.

The Monero address managed by the group threat actors has netted at least 652 XMR (more than $100K).

“Regarding this activity cluster, there are still a few unanswered questions. First and foremost, we cannot be certain of TAC040’s intentions and goals due to visibility gaps. However, it is likely that TAC-040’s goal was espionage-related. However, we can not completely rule out that they were financially motivated. The Threat Intel Team needs additional evidence to build confidence in this hypothesis.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ljl Backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]