Exploits & Vulnerabilities
AESDDoS Botnet Exploits CVE-2019-3396 to Perform RCE
Our honeypot sensors recently detected an AESDDoS botnet malware variant exploiting a server-side template injection vulnerability (CVE-2019-3396) in the Widget Connector macro in Atlassian Confluence Server.
Our honeypot sensors recently detected an AESDDoS botnet malware variant (detected by Trend Micro as Backdoor.Linux.AESDDOS.J) exploiting a server-side template injection vulnerability (CVE-2019-3396) in the Widget Connector macro in Atlassian Confluence Server, a collaboration software program used by DevOps professionals.
We discovered that this malware variant can perform DDoS attacks, remote code execution, and cryptocurrency mining on systems that run vulnerable versions of Confluence Server and Data Center. Atlassian already took steps to fix these issues and recommended that users upgrade to the latest version (6.15.1).
| Version Family | Affected Versions | Fixed Versions |
| 6.6.x | 6.6.0 – 6.6.11 | 6.6.12 and later |
| 6.12.x | 6.7.0 – 6.12.2 | 6.12.3 and later |
| 6.13.x | 6.13.0 – 6.13.2 | 6.13.3 and later |
| 6.14.x | 6.14.0 – 6.14.1 | 6.14.2 and later |
Table 1. Affected and fixed versions of Atlassian Confluence Server and Data Center
Examining the AESDDoS Botnet Malware Variant
In our analysis, we saw that an attacker was able to exploit CVE-2019-3396 to infect machines with the AESDDoS botnet malware. A shell command was remotely executed to download and execute a malicious shell script (Trojan.SH.LODEX.J), which in turn downloaded another shell script (Trojan.SH.DOGOLOAD.J) that finally installed the AESDDoS botnet malware on the affected system.
Figure 1. Abuse of CVE-2019-3396 to infect machine with Trojan.SH.LODEX.J. The second line shows Trojan.SH.LODEX.J being downloaded from its C&C server while the third line shows the execution
This AESDDoS variant is capable of launching various types of DDoS attacks, including SYN, LSYN, UDP, UDPS, and TCP flood. It also connects to 23[.]224[.]59[.]34:48080 to send and receive remote shell commands from the attacker.
Figure 2. Code snippet of the AESDDoS variant connecting to 23[.]224[.]59[.]34:48080
Figure 3. Code snippet of the AESDDoS variant executing remote shell commands
This botnet malware variant can also perform information theft on infected systems. It can retrieve a system’s Model ID and CPU description, speed, family, model, and type.
Figure 4. Code snippet showing the AESDDoS variant stealing an affected system’s CPU information
The stolen system information, as well as the command and control (C&C) data, is encrypted using the AES algorithm. The said information can then be used with the AESDDoS variant’s cmdshell function to load cryptocurrency miners to affected machines.
Apart from the abovementioned capabilities, this AESDDoS variant also modifies files, i.e., /etc/rc.local and /etc/rc.d/rc.local, as an autostart technique by appending the {malware path}/{malware file name} reboot command.
Security Recommendations
Continuous monitoring in software development should be practiced in order to flag security risks in servers, data centers, and other computing environments. Since the successful exploitation of CVE-2019-3396 in Atlassian Confluence Server can put resources at risk, enterprises should be able to identify vulnerabilities, make use of the latest threat intelligence against malware or exploits, and detect modifications to the application’s design and the underlying infrastructure that hosts it.
Risks that can be introduced through third-party components can be uncovered and addressed by implementing automated security. To do this, organizations can look into Trend Micro™ Hybrid Cloud Security, a solution that provides powerful, streamlined, and automated security within the DevOps pipeline. This solution also delivers multiple XGen™ threat defense techniques for protecting physical, virtual, and cloud workloads. In addition, it protects containers via Deep Security™ and Deep Security Smart Check, which help DevOps and security teams scan and ensure the security of container images during preruntime and runtime.
Indicators of Compromise (IoCs)
SHA-256 |
Detection Name |
| b14d5602c8aa16e3db4518832d567a4ca5b9545ce09f9a87684d58f8b1d9daaf | Backdoor.Linux.AESDDOS.J |
| 2e4f18e28830771414c9d0cb99c1696d202fe001d1aa41f64d2f7ce6aef7f7c4 | Trojan.SH.LODEX.J |
| f82dc01b04dfbdab3ccaacd20449395e0175d9ab4f0732019651480358d44ac6 | Trojan.SH.DOGOLOAD.J |