A new attack vector exploits the CVE-2023-22527 vulnerability in older Atlassian Confluence versions to deploy the in-memory Godzilla backdoor.
A loader is initially introduced into the compromised server, activating the Godzilla webshell, which is a Chinese-language backdoor that uses AES encryption for communication and evades detection by remaining in memory.
Legacy antivirus solutions struggle to detect fileless malware like Godzilla, highlighting the need for regular patching and advanced security solutions.
Atlassian released a security advisory for CVE-2023-22527 in January 2024, and Trend Micro provided technical analysis and coverage of the vulnerability, which has been linked to cryptomining activities.
The Godzilla in-memory backdoor, developed by BeichenDream, employs AES encryption to evade detection by security products, which was created in response to the frequent detection of traditional webshells during red team operations.
This stealthy backdoor is designed to operate within the memory of Tomcat and other middleware, making it difficult to detect using signature-based, sandboxing, whitelisting, or machine learning-based protection methods.
Its in-memory nature and encryption capabilities significantly reduce its static detection rate across various security vendor products.
The attacker leveraged a vulnerability in the Struts2 framework (CVE-2023-22527) to execute arbitrary OGNL expressions.
By exploiting this vulnerability, they were able to inject malicious JavaScript code into the application, which used the ScriptEngineManager to evaluate the JavaScript, which in turn added a specific header to the response to indicate successful execution.
The malicious JavaScript also included Base64-encoded data that was loaded into memory using sun.misc.Unsafe, potentially for further malicious activities.
The MemGodValueShell Java malware leverages reflection and thread inspection to dynamically load a custom Tomcat valve, GodzillaValue, from a Base64-encoded string.
GodzillaValue, which extends ValveBase, handles HTTP requests and responses by using AES128 encryption and decryption with a hardcoded key and password for authentication and payload encryption.
It waits for a specific HTTP request with a designated Accept-Language header and encrypted payload class. Upon receiving this request, it initializes the payload class and executes commands, encrypting and decrypting them using the same cryptographic methods.
The query identifies Atlassian Java processes that executed commands on Windows systems, which filters events based on the event subscription ID (eventSubId:2) and checks if the process command (processCmd) and parent command (parentCmd) are both “atlassian” and “java.”
It also searches for object names containing “Windows\System32\” or “bin\” to identify potential execution locations, which is useful for detecting unauthorized or suspicious command executions within Atlassian Java environments on Windows platforms.
The CVE-2023-22527 vulnerability remains a pressing security threat, with a wide range of malicious actors exploiting it to compromise systems globally. Organizations using Atlassian Confluence must prioritize patching their servers to mitigate the risks associated with this attack.
According to Trend Micro, implementing security solutions can provide comprehensive protection against threat actors and help organizations safeguard their environments from similar threats.
Indicators of compromise, such as the hashes dfeccdc0c1d28f1afd64a7bb328754d07eead10c and 2cb94ce0b147303b7beb91f034d0dc7fa734dbcb, can assist in identifying potential compromise.