Security News > 2023 > August > New LABRAT Campaign Exploits GitLab Flaw for Cryptojacking and Proxyjacking Activities

A new, financially motivated operation dubbed LABRAT has been observed weaponizing a now-patched critical flaw in GitLab as part of a cryptojacking and proxyjacking campaign.

Proxyjacking allows the attacker to rent the compromised host out to a proxy network, making it possible to monetize the unused bandwidth.

"During the LABRAT operation, TryCloudflare was used to redirect connections to a password-protected web server that hosted a malicious shell script," Miguel Hernández said.

In a second variant of the attack, the adversary is said to have used a Solr server instead of TryCloudflare to download an exploit for the PwnKit from the same GitLab repository to elevate privileges, along with another file that's no longer accessible.

Some of the payloads retrieved by the dropper script include an open-source utility known as Global Socket for remote access and binaries to conduct cryptojacking and proxyjacking via known services such as IPRoyal and ProxyLite.

"The longer a compromise goes undetected, the more money the attacker makes and the more it will cost the victim."

News URL

https://thehackernews.com/2023/08/new-labrat-campaign-exploits-gitlab.html