Security researchers have recently uncovered a new cyber-threat campaign known as the Labrat campaign. This financially motivated attack is aimed at generating revenue through cryptomining and proxyjacking, all while employing various techniques to remain undetected.
The Sysdig team identified the Labrat campaign after observing threat actors exploiting a legacy GitLab remote code execution vulnerability, CVE-2021-22205, to compromise targeted containers. The ultimate goal of the attackers is to profit from cryptomining and proxyjacking, a tactic where compromised systems are rented out to create a proxy network.
In order to evade detection and maintain their revenue stream, the threat actors behind the Labrat campaign have taken extreme measures. Instead of using typical scripts as their malware, they have opted for undetected compiled binaries written in Go and .NET. Additionally, they have leveraged a legitimate service, TryCloudFlare, to obfuscate their command and control network.
Furthermore, the attackers are continuously updating their binaries to avoid being caught. To ensure persistence, they utilize a legitimate open-source tool called Global Socket (GSocket), which offers features such as custom relay or proxy networks, encryption, and the ability to use TOR for stealthy command and control communications.
The Labrat campaign is an ongoing threat that may extend beyond proxyjacking and cryptomining, as the backdoor used by the attackers provides access to compromised systems. Organizations affected by CVE-2021-22205 are advised to follow their security incident and disaster recovery procedures to deprovision the compromised instance and restore from a recent backup.
GitLab has patched the vulnerability since 2021, and customers who remain on vulnerable versions are at risk. The company has issued a blog post and forum post to help users determine if they have been impacted by the vulnerability.
The Labrat campaign serves as a reminder of the ever-evolving tactics used by cybercriminals to exploit vulnerabilities for financial gain. It underscores the importance of staying vigilant and implementing robust cybersecurity measures to protect against such threats.