The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Cerber Ransomware Linux Variant Exploiting CVE-2023-22518

Apr 22, 2024 2:02:42 PM / by The Hivemind

CERBERRANDSOMWARERelated Families: Effluence

Executive Summary

A Linux variant of Cerber ransomware was observed exploiting CVE-2023-22518, a vulnerability affecting Atlassian Confluence.

Key Takeaways

  • A Linux variant of Cerber ransomware was observed exploiting CVE-2023-22518, a vulnerability affecting Atlassian Confluence.
  • Cerber ransomware has been active since at least 2016, and consists of three C++ payloads.
  • CVE-2023-22518 is a critical vulnerability that results in improper authorization, allowing a threat actor to reset Confluence and create a Confluence administrator account. 

What is the Cerber Linux Variant?

A Linux variant of Cerber ransomware was observed exploiting CVE-2023-22518, a vulnerability affecting Atlassian Confluence. Cado Security recently reported on this activity.

Cerber ransomware has been active since at least 2016. A Cerber variant was observed exploiting CVE-2023-22518 in late 2023. Cado Security more recently observed the Linux variant of Cerber being deployed after a threat actor exploited CVE-2023-22518, which is described in more detail below. 

Post exploitation, the threat actors uploaded and installed the Effluence web shell plugin to execute arbitrary commands on the victim machine. The threat actor used the web shell to download and run Cerber. Cerber consists of three C++ payloads. In the Linux variant, the payloads are compiled in ELF format and packed with UPX.

The primary payload is highly obfuscated and serves as a stager for additional payloads, which are retrieved from the C2. Upon execution, it deletes itself from the disk.  

The second payload is a log check payload. It attempts to write “success” to a particular field and appears to be used to check for sandboxing or to determine the malware’s permission level on the system. 

The third payload is an encryptor, which is used to encrypt system files. It looks for directories to encrypt, writes a ransom note in each directory, and overwrites files with their encrypted content, appending the .L0CK3D extension to the files. 

What is CVE-2023-22518?

CVE-2023-22518 is a critical vulnerability affecting Confluence Data Center and Server. It was first disclosed on October 31, 2023. The vulnerability results in improper authorization, allowing a threat actor to reset Confluence and create a Confluence administrator account. The threat actor can use the newly created account to perform administrative actions. Atlassian Cloud is not affected by this vulnerability.  

IOCs

PolySwarm has multiple samples of the Cerber Linux variant.

 

4ed46b98d047f5ed26553c6f4fded7209933ca9632b998d265870e3557a5cdfe

1849bc76e4f9f09fc6c88d5de1a7cb304f9bc9d338f5a823b7431694457345bd

 

You can use the following CLI command to search for all Cerber samples in our portal:

$ polyswarm link list -f Cerber

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Ransomware, Linux, Cerber, CVE-2023-22518, Confluence

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts