Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence

Sept. 2, 2024, 4:20 p.m.

Description

Trend Micro researchers have identified a new attack vector exploiting CVE-2023-22527 in older versions of Atlassian Confluence Data Center and Server. The attack deploys an in-memory fileless backdoor known as the Godzilla webshell, which uses AES encryption for communication and remains memory-resident to evade disk-based detection. The vulnerability allows unauthenticated attackers to perform remote code execution. The attack chain involves exploiting the vulnerability, loading a loader into the victim server, and activating the Godzilla webshell. This sophisticated Chinese-language backdoor poses significant challenges for legacy anti-virus solutions, highlighting the importance of regular server patching and advanced security measures.

External References

https://www.trendmicro.com/en_us/research/24/h/godzilla-fileless-backdoors.html
https://otx.alienvault.com/pulse/66d5e276e194d3c109dbe575
Tags
godzilla
remote code execution
2024-09-02
aes encryption
CVE-2023-22527
atlassian confluence
fileless backdoor
in-memory

Date

  • Created: Sept. 2, 2024, 4:06 p.m.
  • Published: Sept. 2, 2024, 4:06 p.m.
  • Modified: Sept. 2, 2024, 4:20 p.m.

Attack Patterns

  • Godzilla
  • T1048.001
  • T1505.003
  • T1055.003
  • T1573.001
  • T1059.004
  • T1140
  • T1190
  • CVE-2023-22527