This cryptocurrency miner is exploiting the new Confluence remote code execution bug

The z0Miner cryptojacker is now weaponizing a new Confluence vulnerability to mine for cryptocurrency on vulnerable machines. 

Trend Micro researchers said on Tuesday that the cryptocurrency mining malware is now exploiting a recently-disclosed Atlassian Confluence remote code execution (RCE) vulnerability, which was only made public in August this year. 

Tracked as CVE-2021-26084, the vulnerability impacts Confluence server versions 6.6.0, 6.13.0, 7.4.0, and 7.12.0. 

Issued a CVSS severity score of 9.8, the critical security flaw is an Object-Graph Navigation Language (ONGL) injection vulnerability that can be exploited to trigger RCE — and is known to be actively exploited in the wild. 

The vulnerability was reported by Benny Jacob through Atlassian’s bug bounty program.

z0Miner, a Trojan and cryptocurrency mining bundle, has been updated to exploit the RCE, as well as Oracle’s WebLogic Server RCE (CVE-2020-14882) an ElasticSearch RCE (CVE-2015-1427), Jenkins, and other code execution bugs in popular server software.  

Once a vulnerable server has been found and the vulnerability has been used to obtain remote access, the malware will deploy a set of webshells to install and execute malicious files, including a .dll file disguised as a Hyper-V integration service, as well as a scheduled task that pretends to be a legitimate .NET Framework NGEN task. 

The task will attempt to download and execute malicious scripts from a repository on Pastebin, but as of now, the URL has been pulled. 

These initial actions are aimed at maintaining persistence on an infected machine. In its second-stage payload deployment, z0Miner will then scan and destroy any competing cryptocurrency miners installed on the server, before launching its own — a miner that steals computing resources to generate Monero (XMR).

A patch has been released to resolve CVE-2021-26084, and as threat actors will always seek to exploit new bugs for their own ends — the Microsoft Exchange Server attacks being a prime example — vulnerable systems should always be updated with new security fixes as quickly as possible by IT administrators.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0