LabRat: A Stealthy and Evasive Financially Motivated Operation Exploiting CVE-2021-22205

In the ever-evolving landscape of cyber threats, a newly discovered financially motivated operation known as LabRat has emerged. It leverages a combination of signature-based tools and stealthy cross-platform malware to remain undetected. This article delves into the intricate workings of LabRat, highlighting its exploitation of CVE-2021-22205, its obfuscation tactics using Cloudflare’s TryCloudflare service, and the discovery of a private GitLab repository housing undetected binaries.

Exploiting CVE-2021-22205

LabRat operators capitalized on CVE-2021-22205, a critical-severity vulnerability impacting GitLab. By exploiting this vulnerability, the attackers deployed a script for persistence and lateral movement, enabling them to establish a firm foothold in the targeted systems. This critical weakness served as a gateway for their further malicious activities.

Obfuscation with Cloudflare’s TryCloudflare

To disguise their infrastructure and hinder detection efforts, the LabRat attackers employed an array of subdomains created through Cloudflare’s TryCloudflare service. By utilizing this service, they obscured their malicious activities and made it challenging for defenders to accurately pinpoint their locations. The obfuscation tactics employed by LabRat added an extra layer of complexity to the already elusive nature of this operation.

Utilizing a Private GitLab Repository

In a cunning move, the LabRat attackers directly linked to a private GitLab repository that hosted various undetected binaries, some of which eluded antivirus services at the time. By leveraging this repository, the threat actors ensured the persistent availability and effectiveness of their malware, further complicating its detection and containment.

In addition to employing TryCloudflare, LabRat exhibited adaptability by using a compromised Solr server as an alternate mechanism. This variation demonstrated the attackers’ proficiency in exploiting different vulnerabilities and their flexibility in matching their tactics to the available opportunities. The use of a compromised Solr server added another layer of complexity to the overall attack methodology.

LabRat operators demonstrated their technical prowess by utilizing the open-source tool GSocket, granting them persistent access to infected systems. This allowed them to maintain control over compromised machines, enabling them to manipulate and exploit them for financial gain. The use of GSocket showcased the attackers’ in-depth knowledge of various tools and techniques used in the arsenal of modern cybercriminals.

Discovery of ProxyLite.ru and XMRig Binaries

During the investigation into LabRat’s activities, files related to the Russian proxyware service ProxyLite.ru and XMRig binaries for mining were discovered in the repositories used by the attackers. These findings shed light on the motive behind the operation and hinted at the potential involvement of the attackers in cryptocurrency mining schemes. The inclusion of mining binaries pointed towards monetary gain as a significant driving force behind LabRat’s activities.

Previous Use of a Rootkit for Full Control

LabRat’s previous attacks revealed the utilization of a kernel-based rootkit, used to conceal the cryptomining process while granting the attackers full control over infected systems. By leveraging a rootkit, the threat actors not only advanced their evasion capabilities but also gained extensive control over compromised systems, allowing them to further their malicious objectives unhindered. This sophisticated technique solidified LabRat’s status as a formidable adversary in the cybersecurity landscape.

Challenges in Defense and Detection

The stealthy and evasive techniques employed by LabRat make defending against and detecting their activities significantly more challenging. The utilization of signature-based tools combined with cross-platform malware makes it difficult for traditional security measures to identify and combat such threats effectively. This emphasizes the need for comprehensive and robust defense mechanisms that can adapt to the ever-evolving tactics employed by malicious actors.

The Impact of Undetected Compromises

The longer the compromise goes undetected, the more money the attacker makes, and the greater the cost for the victim. LabRat’s financially motivated operations underscore the immediate and long-term consequences faced by organizations that fall victim to such attacks. Beyond financial losses, compromised systems can suffer reputational damage, legal consequences, and a loss of customer trust. The impact of undetected compromises highlights the urgent need for proactive cybersecurity measures and rapid incident response capabilities.

LabRat’s sophisticated and financially motivated operation poses substantial challenges for defenders and detection mechanisms. By exploiting vulnerabilities like CVE-2021-22205, leveraging obfuscation techniques, and persistently accessing infected systems, the attackers leave little room for error. To effectively combat adversaries like LabRat, organizations must deploy robust cybersecurity measures, stay updated on emerging threats, employ advanced defense mechanisms, and develop resilient incident response capabilities. Only through a proactive and comprehensive approach can organizations hope to fortify their defenses against such stealthy and evasive threats, minimizing the risk of compromise and subsequent financial and reputational damage.

Explore more