Godzilla Fileless Backdoor Exploits CVE-2023-22527 in Atlassian Confluence

Introduction

On August 30, 2024, Trend Micro researchers identified a sophisticated in-memory fileless backdoor, Godzilla, exploiting an Atlassian critical vulnerability, CVE-2023-22527, affecting older versions of Confluence Data Center and Server products vulnerability. The Godzilla webshell, a Chinese-language malware, leverages AES encryption to evade detection and remains memory-resident, making it particularly challenging for legacy anti-virus solutions to detect.

Report Overview

CVE-2023-22527 is a critical vulnerability with a Common Vulnerability Scoring System (CVSS) score 10, indicating its potential severity. This flaw allows unauthenticated attackers to perform remote code execution (RCE) by exploiting a template injection vulnerability in older Confluence Data Center and Server versions. Despite the release of patches, many organizations continue to use unpatched instances, making them susceptible to attacks.

The Godzilla backdoor is designed to remain in memory, avoiding traditional disk-based detection methods. The attack begins by exploiting the CVE-2023-22527 vulnerability, where an OGNL (Object-Graph Navigation Language) injection is used to introduce malicious code into the vulnerable Confluence server. The payload is a loader that, once executed, loads the Godzilla webshell into memory. This sophisticated webshell uses AES encryption for communication, allowing it to operate covertly within the compromised environment.

Upon closer analysis, researchers found that the Godzilla webshell employs reflection to interact with the server's internal components, making it difficult to detect and remove. The attack involves multiple stages, including the dynamic loading of a Base64-encoded class, MemGodValueShell, which serves as a backdoor within the Tomcat server. The backdoor's methods allow it to inject a custom valve into the server's pipeline, providing unauthorized access to the attacker.

The consequences of this attack are far-reaching. Organizations running vulnerable versions of Confluence face the risk of complete server compromise, unauthorized data exfiltration, and potential inclusion in a botnet. Fileless techniques make detection and remediation challenging, especially for organizations relying on outdated security solutions. Given the critical nature of the vulnerability and the sophistication of the Godzilla backdoor, affected organizations must take immediate action to secure their environments.

Insights and Analysis

Trend Micro's analysis highlights the growing threat posed by fileless malware. It underscores the need for organizations to adopt advanced security measures beyond traditional anti-virus solutions. The researchers emphasized the importance of regularly patching systems and employing solutions to detect in-memory threats.

To protect against this threat, organizations using Atlassian Confluence must immediately apply the patches provided by Atlassian. Additionally, implementing advanced security solutions that can detect fileless malware and in-memory attacks is crucial. Regularly updating security tools and conducting thorough security audits can also help mitigate the risk of such sophisticated attacks.

The exploitation of CVE-2023-22527 by the Godzilla fileless backdoor represents a significant threat to organizations worldwide. The combination of advanced evasion techniques and in-memory execution makes this attack particularly dangerous. Organizations are urged to patch their systems, update security measures, and remain vigilant against evolving threats.

Indicators of Compromise (IOC)

MITRE ATT&CK Techniques

References

Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence

Trend MicroContact Us