Security researchers have recently uncovered a new financially motivated cyber-threat campaign known as Labrat. This campaign aims to generate money through cryptomining and proxyjacking while utilizing various techniques to remain undetected.
The team at Sysdig discovered the Labrat campaign when they observed threat actors compromising a targeted container through the legacy GitLab remote code execution vulnerability CVE-2021-22205. The ultimate goal of the attackers is to profit from cryptomining and proxyjacking, a tactic where compromised systems are rented out to create a proxy network.
To ensure a steady revenue stream, the threat group behind Labrat is going to great lengths to evade detection by security researchers and network defenders. Instead of using simple scripts as their malware, the attackers have opted for undetected compiled binaries written in Go and .NET. This choice allows them to hide more effectively. Additionally, the attackers have abused a legitimate service called TryCloudFlare to mask their command and control (C2) network.
Furthermore, the Labrat attackers constantly update their binaries to avoid detection. They also employ a legitimate open-source tool called Global Socket (GSocket) to maintain persistence. GSocket, similar to Netcat, has legitimate uses but can also be leveraged by attackers. Its features, such as custom relay or proxy network capabilities, encryption, and TOR integration, make it a powerful tool for stealthy C2 communications.
The campaign is ongoing, and there are concerns that it may extend beyond proxyjacking and cryptomining. The backdoor used by the attackers provides access to compromised systems, indicating that there may be additional malicious activities planned.
For organizations affected by CVE-2021-22205, GitLab recommends following security incident and disaster recovery processes to deprovision compromised instances and restore from the latest backup to a new GitLab instance. The vulnerability has been patched since 2021, and customers still on vulnerable versions are at risk. GitLab has provided resources, including a blog post and forum post, to help users determine if they have been impacted.
In conclusion, the Labrat campaign highlights the evolving tactics used by cybercriminals to generate profits through cryptomining and proxyjacking. Organizations must remain vigilant and take proactive measures to protect their systems from such threats.