Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence

Summary

Trend Micro researchers identified a new attack vector that exploits the CVE-2023-22527 through the deployment of an in-memory fileless backdoor known as the Godzilla webshell. CVE-2023-22527 is a vulnerability affecting older versions of the Atlassian Confluence Data Center and Server that allows attackers to perform remote code execution.
In such an attack, a loader is introduced into a compromised Atlassian server, subsequently activating the Godzilla webshell.
Godzilla is a sophisticated Chinese-language backdoor that uses AES encryption for communication and remains in-memory to avoid disk-based detection mechanisms.
Legacy anti-virus solutions struggle to detect fileless malware, so the discovery of this new kind of attack underscores the importance of regularly patching servers and using more advanced security solutions.

We observed a new attack vector of weaponization for the vulnerability CVE-2023-22527 using the Godzilla backdoor. Following initial exploitation, a loader was loaded into the Atlassian victim server which loads a Godzilla webshell. On January 16, 2024, Atlassian released a security advisory for CVE-2023-22527, a vulnerability that affects Confluence Data Center and Confluence Server products. In response to this, Trend Micro released its own technical analysis and coverage of the vulnerability, which has also been associated with crypto-mining activities.

The vulnerability is marked critical with a Common Vulnerability Scoring System (CVSS) score of 10. By exploiting this flaw, an unauthenticated attacker has the potential to exploit a template injection vulnerability found in older versions of Confluence Data Center and Server, enabling remote code execution (RCE) on the affected instance.

Godzilla Webshell

Upon analysing the backdoor, it was identified as the Chinese-language Godzilla in-memory backdoor. This backdoor was developed by a user named “BeichenDream”, who created it in response to existing webshells frequently being detected by security products during red team operations. The author claims that Godzilla avoids detection by using Advanced Encryption Standard (AES) encryption for its network traffic and boasts a very low static detection rate across various security vendor products. The project idea of a servlet-based, in-memory shell for Tomcat and other middleware was first proposed by the user “feihong-cs”.

The main issue with malware fileless techniques is that they are extremely challenging to detect if customers are relying on legacy anti-virus, which use signature-based methods, sandboxing, whitelisting, or sometimes even machine learning protection methods.

Initial Access

The attack begins with the exploitation of CVE-2023-22527 using velocity.struts2.context to execute OGNL object (Figures 1 and 2).

Figure 2. Malicious request for CVE-2023-22527 exploitation

Figure 3. Code snippet of the malicious payload

Diving deep into the malicious payload (Figure 3), we discovered:

The attacker using OGNL object to read a parameter called x. In the parameter’s value, through the help of ScriptEngineManager, the attack evaluates a JavaScript code. The reason the attacker is using objects linking chains could be because of a OGNL template issue in that if its length is longer than ~200 characters, it will be blocked based on the struts.ognl.expressionMaxLength setting.
As per the JavaScript code, attacker adds the header x_evc_ecneulfnoc to make sure the object has been loaded successfully, which will be shown in the response (Figure 4).

Figure 4. The response contains the header in case of successful object loading

The second part of the JavaScript code has an object called data that contains Base64, which will be loaded as an anonymous class in-memory using sun.misc.Unsafe.

Malware

After decoding the Base64 value of this anonymous class, its compiled java code program is called MemGodValueShell.

As shown in Figure 5, the MemGodValueShell class has four attributes: uri, serverName, standardContext, and valveString. These are used to store various pieces of information during the execution of the class methods.

MemGodValueShell has three methods: getField is a method that uses reflection to retrieve the value of a private field from an object (Figure 6). It traverses the class hierarchy to find the field.

The second method in the class is getStandardContext (Figure 7). This method attempts to retrieve the StandardContext object by iterating over all threads in the current thread group. It checks for threads that are part of the StandardEngine or Acceptor components of Tomcat. It retrieves various internal fields using reflection to navigate through the server's internal structure.

The last and the main method is the class constructor MemGodValueShell (Figure 8). This constructor method performs several actions:

Loads the Valve class from the current thread's context class loader.
Retrieves the StandardContext object using the getStandardContext method.
Iterates over all threads in the current thread group.
For each thread, if it is not named "exec", the method:

Retrieves the target object of the thread
Checks if the target object is an instance of Runnable
Retrieves the global field from the target object
Iterates over the processors and retrieves the request (req) object
Retrieves the serverPort, serverNameMB, and decodedUriMB fields from the request object
Decodes the valveString from Base64 to a byte array
Defines a new class using the defineClass method of the ClassLoader
Instantiates the new class and adds it as a valve to the pipeline of the StandardContext

Figure 8. MemGodValueShell constructor method

For easy troubleshooting, we printed some data, as shown in Figures 9 and 10:

Figure 9. Custom debugging for the MemGodValueShell constructor method

Figure 10. Custom debugging for the MemGodValueShell constructor method

In summary, MemGodValueShell does the following:

Reflection Usage – The code heavily uses Java Reflection to access private fields and methods of classes
Thread Inspection – It inspects threads to find specific ones related to Tomcat's StandardEngine and Acceptor
Dynamic Class Loading – It dynamically loads and defines a class from a Base64-encoded string
Valve Injection – It injects a custom valve into the Tomcat pipeline, which is intended to provide a backdoor or some form of unauthorized access

In dynamic class loading, the MemGodValueShell constructor contains a long Base64 encoded string in a string variable valveString, which is also the compiled Java class GodzillaValue (Figure 11). After decompiling it, we the obtained Java code which is explained below.

The class GodzillaValue extends ValveBase, indicating that it is a custom Tomcat valve. It has four fields: xc, pass, md5, and payload. The xc and pass fields are used for cryptographic operations as xc is a key which has been used in AES128, while md5 stores an MD5 hash, and payload is used to store a dynamically loaded class. GodzillaValue class stores the hardcoded xc string "3c6e0b8a9c15224a" and the pass string "pass" is likely used for authentication or encryption purposes.

For the methods, we have the following:

md5 – calculates MD5 hash
base64Encode – Base64 encode
base64Decode – Base64 decode
x – AES encryption/decryption method
Invoke – the overwritten valve class method which handles HTTP requests and responses (Figure 12)

It seems that the Invoke method is waiting for the next part of the attack payload, which will complete the cycle of the attack. But we never received this part in our honeypots, which will make this kind of shell idle until it receives the payload class. Based on this, the threat actor may be building their own botnet network.

Based on the Godzilla source code analysis in Figure 12, we can easily guess that class payload should be as the following (Figure 13):

Figure 13. Custom sample of the payload class

Based on our assumption, if we send a POST request with Accept-Language header “zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2” and the pass parameter value has the Java-compiled data of payload class encrypted with parameter xc, it should initialized the payload class. We tried this, as shown in Figure 14, and Figure 15 shows how we successfully loaded the payload object.

Figure 14. HTTP request to initialize payload class

Figure 15. Logs which show successfully loading the payload object

Now, we can try to determine if our shell works: To prepare our command, the encrypted command should be “AES128(Base64encoded(command))” and the AES key should be the xc parameter in GodzillaValue class (Figure 16).

This worked, but going back to the GodzillaValue class, we noticed that the first and last 16 characters of the result is “md5(pass+xc)”. Also, the command execution result is “AES128(base64encode(result))” encrypted with the xc key (Figure 17). Let’s revert these cryptographic operations to get our result (Figure 18).

Figure 18. Command execution result after decrypting and decoding

Vision One Hunting Queries

Hunting query if Atlassian Java executed commands:

(eventSubId:2 AND processCmd:atlassian AND parentCmd:atlassian AND parentCmd:java AND (objectName:*\\Windows\\System32\\* OR objectName:*bin/*))

Conclusion

The CVE-2023-22527 vulnerability continues to be widely exploited by a wide range of threat actors who abuse this vulnerability to perform malicious activities, making it a significant security risk to organizations worldwide. The users of Atlassian Confluence are advised to immediately patch their servers and mitigate the risks associated with this attack. Leveraging security solutions such as Trend Vision One™️ can assist organizations in safeguarding their environment from threat actors and attacks like the one described in initial stages of the attack.

Trend Vision One™ – Endpoint Security provides protection from any threats that may target this vulnerability via the following Deep Packet Inspection (DPI) rule:

1011954 - Atlassian Confluence Data Center and Server Template Injection Vulnerability (CVE-2023-22527)

TippingPoint has posted a Customer Shield Writer (CSW) file for this vulnerability that is available for customers to download on Threat Management Center (TMC). The applicable rule is as follows:

43721 - HTTP: Atlassian Confluence Data Center and Server Template Injection Vulnerability

Trend Micro Cloud One – Workload Security helps defend a variety of environments such as virtual, physical, cloud, and containers against this threat via this rule:

1011954 - Atlassian Confluence Data Center and Server Template Injection Vulnerability (CVE-2023-22527)

Trend Micro Deep Discovery Inspector customers are protected with the following rule:

DDI RULE 4990 - CVE-2023-22527 - Atlassian OGNL Injection Exploit - HTTP (Request)

Indicators of Compromise (IOC)

Hash	Detection
dfeccdc0c1d28f1afd64a7bb328754d07eead10c	TROJ_FRS.VSNTH724
2cb94ce0b147303b7beb91f034d0dc7fa734dbcb	Backdoor.JS.WEBSHELL.VSNW08H24

MITRE ATT&CK Techniques

Tactic	Technique	Technique ID
Initial Access	Exploit Public-Facing Application	T1190
Execution	Command and Scripting Interpreter: Unix Shell	T1059.004
Defense Evasion	Obfuscated Files or Information: Encrypted/Encoded File	T1027.013
	Reflective Code Loading	T1620
	Obfuscated Files or Information: Embedded Payloads	T1027.009
	Process Injection: Thread Execution Hijacking	T1055.003
	Deobfuscate/Decode Files or Information	T1140
Command and Control	Encrypted Channel: Symmetric Cryptography	T1573.001
Persistence	Server Software Component: Web Shell	T1505.003
Exfiltration	Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol	T1048.001

Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence

Summary

Godzilla Webshell

Initial Access

Malware

Vision One Hunting Queries

Conclusion

Indicators of Compromise (IOC)

MITRE ATT&CK Techniques

Authors

Resources

Support

About Trend

Resources

Support

About Trend

The Americas

Middle East & Africa

Europe

Asia & Pacific