Unraveling the Mystery: Inside the Stealthy ‘LabRat’ Campaign

Malware & Threats Stealthy ‘LabRat’ Campaign Abuses TryCloudflare to Hide Infrastructure

Cloud security company Sysdig has reported on a newly discovered financially motivated operation called LabRat, which relies on signature-based tools and stealthy cross-platform malware to remain undetected. The campaign focuses on cryptomining and proxyjacking and exploits vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 11.9 to 13.10.3, 13.9.6, and 13.8.8. To conceal its command-and-control (C&C) infrastructure, LabRat abuses TryCloudflare, a service provided by Cloudflare, to create subdomains and redirect connections to a password-protected server. The attackers also used a Solr server and the open-source tool Global Socket (GSocket) to further obfuscate their activities.

Techniques and Tools used by LabRat

The LabRat campaign employs several techniques and tools to evade detection and carry out its operations. The attackers rely on binaries written in Go and .NET, kernel-based rootkits, and C&C tools to bypass firewalls. They exploit the CVE-2021-22205 vulnerability, which allows for unauthenticated remote code execution, to gain initial access and persistence on the compromised systems. Once inside, they kill specific processes, download additional binaries, and perform lateral movement by harvesting SSH keys. The attackers leverage TryCloudflare and the Solr server to conceal their infrastructure, and they use the Global Socket tool for persistent access to infected systems. They also exploit private GitLab repositories to host various binaries, including recently uploaded ones that have not yet been detected by antivirus services.

Russian Proxyware and Cryptomining

During its investigation, Sysdig found evidence linking the LabRat campaign to a Russian proxyware service called ProxyLite[.]ru. It also discovered XMRig binaries connecting to various mining pools, including three that were not detected as malicious. This suggests that the LabRat operation is financially motivated and engages in both proxyjacking and cryptomining activities.

The Challenges of Defense and Detection

LabRat’s use of stealthy and evasive techniques and tools poses significant challenges for defense and detection. Sysdig points out that because the campaign is financially driven, time becomes a crucial factor. The longer the compromise goes undetected, the more money the attackers make and the greater the financial cost for the victims. Therefore, organizations need to be proactive in their security measures and employ robust threat detection and response systems to minimize the impact of such campaigns.

Editorial: The Increasing Sophistication of Malware Campaigns

The LabRat campaign highlights the ever-growing sophistication of malware campaigns and the challenges they pose to cybersecurity professionals and organizations. Attackers are continuously evolving their techniques to bypass traditional security defenses and remain undetected for as long as possible. Signature-based tools and known vulnerabilities are no longer sufficient to protect against these advanced threats.

Cloud services, such as TryCloudflare, that are designed to provide security and enhance performance are being abused by attackers to hide their malicious infrastructure. This requires service providers and users to remain vigilant and constantly update their security measures to prevent abuse. Companies like Cloudflare need to be proactive in monitoring and identifying potential misuse of their services and take prompt action to remediate such issues.

Internet Security and Best Practices

Campaigns like LabRat serve as a reminder of the importance of having robust internet security measures in place. As attackers become more sophisticated, it becomes crucial for individuals and organizations to stay updated on the latest security practices and technologies to protect against evolving threats.

Keep Software and Applications Up to Date

Regularly updating software and applications is one of the most effective ways to protect against known vulnerabilities. It is crucial to apply security patches as soon as they are released by the vendors. By keeping software up to date, you can minimize the risk of falling victim to campaigns like LabRat that exploit known vulnerabilities.

Implement Multi-Layered Security Defenses

Relying on a single security solution is no longer enough to protect against advanced threats. Implementing a multi-layered security defense strategy can greatly enhance your protection. This includes using antivirus software, firewalls, intrusion detection systems, and endpoint security solutions. These layers work together to provide multiple levels of defense and ensure that even if one layer is breached, others can detect and mitigate the threat.

Invest in Employee Training and Awareness

Employees are often the weakest link in an organization’s security defenses. It is crucial to invest in training and awareness programs to educate employees about the latest threats and teach them best practices for protecting sensitive information. This includes recognizing phishing emails, avoiding downloading suspicious files, and following proper password practices.

Monitor and Analyze Network Traffic

Monitoring and analyzing network traffic can help detect and mitigate potential threats. Using tools and technologies that provide real-time visibility into network traffic, organizations can identify suspicious activity, detect malware infections, and respond promptly to mitigate the impact of an attack. Implementing robust network monitoring and analysis solutions can significantly enhance an organization’s ability to detect and respond to advanced threats.

Conclusion

The LabRat campaign serves as a stark reminder of the evolving threat landscape and the need for robust internet security measures. Attackers are continuously developing new techniques to evade detection, leveraging cloud services for malicious activities, and exploiting known vulnerabilities. To protect against these advanced threats, organizations and individuals must stay updated on the latest security practices, implement multi-layered defense strategies, and invest in employee training and awareness. By doing so, they can enhance their ability to detect and respond to threats and minimize the impact of malware campaigns like LabRat.