Godzilla (Backdoor) – Malware

Overview

The Godzilla malware is a sophisticated and stealthy fileless backdoor designed to target vulnerable versions of Atlassian Confluence, particularly those affected by the critical CVE-2023-22527 vulnerability. This backdoor, developed by a cybercriminal actor known as “BeichenDream,” exploits a remote code execution flaw in older Confluence servers, enabling attackers to gain unauthorized access to these systems. Unlike traditional malware, which typically relies on disk-based files that can be detected by antivirus programs, Godzilla operates entirely in memory. This fileless nature makes it exceptionally difficult to identify and mitigate using conventional security methods, such as signature-based detection or sandboxing, posing a significant challenge for organizations relying on legacy anti-virus systems.

The Godzilla backdoor is notable for its use of AES encryption to obfuscate communication, ensuring that any network traffic generated by the malware remains undetected by most security tools. The backdoor’s design is highly evasive, built to avoid detection during red team operations and subsequent cybersecurity assessments. The malware’s ability to remain in-memory allows it to persistently hide within compromised systems, making traditional defense measures ineffective. By exploiting CVE-2023-22527, attackers are able to inject a malicious payload into the vulnerable server, which then activates the Godzilla webshell, giving them the ability to execute commands remotely, exfiltrate data, and potentially even launch further attacks.

Targets

Information

How they operate

The first step in Godzilla’s operation is the exploitation of the aforementioned vulnerability. Once attackers discover a susceptible Confluence instance, they send specially crafted HTTP requests that trigger the vulnerability and execute malicious code. This remote code execution allows the attacker to upload a malicious Java-based payload into the server’s environment. The payload is designed to be stealthy, running without leaving traces in the file system, which is a key characteristic of fileless malware. The absence of file writing to disk significantly reduces the chances of traditional antivirus software detecting the malware, as it operates entirely in memory.

Once the payload is executed, the Godzilla malware installs a backdoor on the compromised system, allowing the attacker to maintain persistent access. This is achieved through the deployment of a web shell that listens for commands from the attacker. The web shell is typically concealed within the application’s legitimate web traffic, making it harder for security systems to distinguish between legitimate and malicious requests. The web shell can receive encrypted commands from the attacker, often through an encrypted HTTP or HTTPS connection, ensuring that the communications remain hidden from detection tools. These encrypted communications are typically carried out using AES encryption, which adds a layer of security for the attacker while complicating analysis for defenders.

The malware also uses process injection techniques to interact with existing system processes. By injecting malicious code into legitimate processes, Godzilla can operate under the radar, avoiding detection by monitoring systems that analyze new or suspicious executable files. This stealthy operation makes it difficult for security solutions to identify the presence of Godzilla, as it does not leave a traditional file footprint. Furthermore, the malware may leverage other evasive techniques, such as the use of obfuscated code and encrypted network traffic, to evade detection by firewalls, intrusion detection systems (IDS), and other security mechanisms.

Godzilla’s primary goal is not just to establish initial access but to maintain persistent control over the compromised server. It employs multiple methods of defense evasion, including fileless execution and encryption, to avoid detection by security tools. This persistence is crucial, as it allows attackers to use the compromised server for various malicious activities, including further exploitation, credential theft, and data exfiltration. The encrypted command-and-control (C2) channel enables the malware to receive updates and additional instructions, thus enhancing its flexibility and adaptability. Godzilla can also be used to deploy additional malicious payloads or ransomware, depending on the attacker’s objectives.

In conclusion, the Godzilla malware represents a sophisticated and stealthy threat that leverages several advanced techniques, such as exploitation of unpatched vulnerabilities, fileless execution, encrypted communications, and process injection. Its ability to remain undetected while maintaining persistent access makes it a dangerous tool in the hands of cybercriminals. Organizations vulnerable to this malware must ensure that their Confluence servers are updated with the latest patches and implement robust security measures, including intrusion detection systems and network monitoring tools capable of identifying encrypted malicious traffic. Through a combination of proactive defense and rapid response capabilities, organizations can mitigate the risks posed by this increasingly common and evolving threat.

MITRE Tactics and Techniques

Initial Access (TA0001)

Exploitation of Public-Facing Application (T1190): The Godzilla malware exploits the CVE-2023-22527 vulnerability in Atlassian Confluence, allowing the attacker to gain initial access to a target system by exploiting a remote code execution (RCE) vulnerability in the application.

Execution (TA0002)

Command and Scripting Interpreter (T1059): The Godzilla malware uses Java-based scripting methods to execute its malicious payload, relying on object-oriented code evaluation (OGNL) and JavaScript execution to manipulate the Confluence server and load the malicious backdoor.

In-Memory Execution (T1203): The malware operates entirely in-memory, meaning it does not write malicious files to disk, making it harder to detect with traditional file-based detection systems.

Persistence (TA0003)

Web Shell (T1505.003): Once the Godzilla backdoor is executed, it installs a web shell that enables continued access to the compromised server. This allows the attacker to maintain persistence on the system and perform further malicious actions.

Application Layer Protocol (T1071): The malware uses encrypted communication (AES encryption) to interact with its C2 server, bypassing detection mechanisms while maintaining persistent control.

Privilege Escalation (TA0004)

Exploitation for Privilege Escalation (T1068): By leveraging the vulnerability in Confluence (CVE-2023-22527), Godzilla may allow the attacker to escalate privileges within the compromised server environment. This could enable the attacker to gain higher levels of control over the server and its resources.

Defense Evasion (TA0005)

Fileless (T1055): Godzilla is a fileless malware, meaning it does not rely on files stored on disk, which makes detection more difficult by traditional antivirus solutions that rely on signature-based methods.

Obfuscated Files or Information (T1027): The malware employs AES encryption to obfuscate its communications, helping it evade detection by network monitoring tools or intrusion detection systems (IDS) looking for anomalous traffic.

Process Injection (T1055): While Godzilla primarily operates in memory, its methods involve interacting with the system’s memory and processes, which is akin to injecting malicious code into existing processes for stealth.

Credential Dumping (TA0006)

OS Credential Dumping (T1003): Godzilla could be used as a platform for further credential dumping or credential harvesting if the attackers use it to gain deeper access to sensitive credentials stored on the system, although this is not directly mentioned in the analysis, it remains a possible tactic.

Command and Control (TA0011)

Application Layer Protocol (T1071): The encrypted communication used by Godzilla is typically handled over HTTP or HTTPS, which allows the attacker to control the compromised server while avoiding detection. The use of encrypted communication ensures that the backdoor’s commands and responses are concealed.

Exfiltration (TA0010)

Exfiltration Over Command and Control Channel (T1041): While the primary goal of Godzilla appears to be maintaining persistent access, it can also be used for exfiltrating sensitive data over the established command and control channel.

References:

• Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence