Cybersecurity experts from Deepwatch spotted activity from threat actors (TA) that “highly likely” exploited a security flaw in the Atlassian Confluence server (CVE-2022-26134) to deploy a new backdoor dubbed “Ljl” against a number of unnamed organizations.
Deepwatch’s Adversary Tactics and Intelligence group (ATI) described the findings in an advisory published on Tuesday.
After gaining initial access, the TA, dubbed TAC-040, would have run various commands to enumerate the local system, network and Active Directory environment.
Additionally, Deepwatch said the TA likely used RAR and 7zip to archive files and folders from multiple directories, including registry hives.
According to network logs, TAC-040 exfiltrated a total of around 700 MBs of archived data before the victim took the server offline.
Before disconnecting, however, the TA would have dropped a never-before-seen backdoor, called “Ljl Backdoor” onto the compromised server.
“TAC-040 has the capability to create or access custom, never-before-seen malware,” the advisory reads.
In terms of the motifs behind the attacks, Deepwatch said they were likely espionage-related, but the company cannot completely rule out that they were financially motivated, since it said it also spotted a loader for an XMRig crypto miner on the system.
Targets of TAC-040 were organizations that conduct research in healthcare, education, international development, and environmental and agriculture, as well as some that provide technical services.
For context, the Atlassian vulnerability suspected to have been exploited by TAC-040 is an Object-Graph Navigation Language (OGNL) injection bug that allows for arbitrary code execution on a Confluence Server or Data Center instance.
The issue was addressed by Atlassian in June, but this is not the first time since then that unpatched systems get exploited by hackers.
For instance, in July Microsoft’s Security Intelligence team said it spotted a campaign by TA 8220 targeting i686 and x86_64 Linux systems that used RCE exploits for CVE-2022-26134 and CVE-2019-2725 (Oracle WebLogic) for initial access.