A malicious threat group called TAC-040 is allegedly abusing a vulnerability in an Atlassian Confluence server to launch a new backdoor dubbed Ljl. This backdoor is mainly deployed in most companies’ critical services sector networks.
According to the researchers, the attack was active for about seven days during the last weeks of May this year. About 700MB of sensitive files were exfiltrated before the targeted server was temporarily shut down by its admins.
Based on reports, the attackers utilised the never-before-seen malware called Ljl in its attacks. Moreover, they executed malicious commands with a head process coded as tomcat9[.]exe within the Confluence directory.
After the initial infection, the Ljl backdoor operated various commands to catalogue the network, active directory, and local system.
The researchers also found the presence of an XMRig cryptominer on the infected system, resulting in the possible impact on cryptocurrencies. Furthermore, one of the Monero addresses that belonged to the threat actors swiped more than $100,000.
The Ljl backdoor targets several essential entities that contribute to the well-being of a particular country.
The Ljl backdoor operators targeted several organisations with ongoing research in healthcare, education, environment, agriculture, international development, and firms offering technical services.
According to an analysis, the Ljl backdoor is loaded with a trojan virus designed to collect files and user accounts, set up arbitrary [.]NET payloads, and harvest system information plus the victim’s geographic location.
The backdoor also includes several capabilities. One of such abilities is that it can behave as a reverse proxy and query whether the victim is present or on standby. In addition, the backdoor can gather files and recover the foreground window and window text.
The researchers claimed that the intrusion could have occurred by abusing a couple of known vulnerabilities. The first alleged exploited flaw is an Object-Graph Navigation Language injection vulnerability that enables a user arbitrary code execution on a Confluence Data Centre.
Another possible abused vulnerability is the Spring4Shell flaw that can acquire initial access to the Confluence web application.
Many researchers believe that the threat actors included the XMRig miner to deceive everyone and hide their true motive. They have tried to act as if they are attacking the cryptocurrency, but they are conducting cyberespionage operations.