LabRat Operation: Cryptomining Campaign Uses TryCloudflare to Conceal Infrastructure

August 18, 2023

Sysdig, a cloud security firm, has recently uncovered a new financially driven operation named 'LabRat'. This operation uses signature-based tools and stealthy cross-platform malware to evade detection and leverages TryCloudflare to conceal its command-and-control (C&C) infrastructure. The campaign primarily focuses on cryptomining and proxyjacking.

The attackers behind LabRat employ binaries written in Go and .NET, kernel-based rootkits, and C&C tools to bypass firewalls. They exploited a high-severity vulnerability, CVE-2021-22205, which affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions 11.9 to 13.10.3, 13.9.6, and 13.8.8. This vulnerability, which was patched in April 2021, allows for unauthenticated remote code execution. The attackers used it to deploy a script to ensure persistence, terminate specific processes to evade defenses, download additional binaries, and perform lateral movement by harvesting SSH keys.

In order to mask their infrastructure, the attackers created subdomains using Cloudflare’s TryCloudflare service. They simply needed to download and install Cloudflared, and then run a specific command. Via TryCloudflare, the attackers redirected connections to a password-protected server hosting the initial script, generating a new subdomain for each iteration of the script. The attackers also directly linked to a private GitLab repository hosting various binaries, some of which were recently uploaded and not yet detected by antivirus services.

Sysdig also found a variant of the attack, where a Solr server was used instead of TryCloudflare. The server, which pointed to a legitimate webpage, was likely compromised by the attackers and used as part of the operation. The LabRat operators also used the open source tool Global Socket (GSocket) to maintain persistent access to the infected systems. This tool offers a custom relay or proxy network, encryption, and connectivity over the Tor network.

While investigating the repositories used in this campaign, Sysdig found files related to a Russian proxyware service called ProxyLite[.]ru, and XMRig binaries connecting to various mining pools, including three that were not detected as malicious. The cybersecurity firm also found evidence that, in previous attacks, the threat actor used a kernel-based rootkit to hide the cryptomining process, but which also provided full control over the infected systems. Sysdig notes, “The stealthy and evasive techniques and tools used in this operation make defense and detection more challenging. Since the goal of the LabRat operation is financial, time is money. The longer a compromise goes undetected, the more money the attacker makes and the more it will cost the victim.”

Latest News

• New BlackCat Ransomware Variant Incorporates Advanced Impacket and RemCom Tools
• Global Phishing Campaign Targets Zimbra Email Servers
• Google's AI Integration into Fuzz Testing Yields Significant Results
• Play Ransomware Group Launches Global Campaign Against MSPs
• Rapid7 Report Highlights High ROI for Ransomware and Increasing Use of Zero-Day Exploits