Proxyjacking and Cryptomining Campaign Targets GitLab

Written by

Security researchers have discovered a new financially motivated cyber-threat campaign designed to make money from cryptomining and proxyjacking while staying hidden using a variety of techniques.

The Labrat campaign was discovered by a team at Sysdig, who observed the threat actors compromise a targeted container via legacy GitLab remote code execution vulnerability CVE-2021-22205.

The end goal is to make money by cryptomining and proxyjacking; the latter being attacks where threat actors rent out a compromised system to a proxy network.

To maintain this revenue stream, the threat group are going to extreme lengths to stay hidden from researchers and network defenders, Sysdig claimed.

“It is common to see attackers utilize scripts as their malware because they are simpler to create. However, this attacker chose to use undetected compiled binaries, written in Go and .NET, which allowed the attacker to hide more effectively,” the security vendor explained.

“Furthermore, the attacker abused a legitimate service, TryCloudFlare, to obfuscate their C2 network.”

Read more on stealthy crypto attacks: Satacom Malware Campaign Steals Crypto Via Stealthy Browser Extension

Moreover, the attackers are constantly updating their binaries in order to avoid detection, Sysdig claimed.

To maintain persistence, the Labrat attackers use a legitimate open-source tool known as Global Socket (GSocket).

“Much like Netcat, GSocket has legitimate uses, but of course it can also be used by attackers,” Sysdig wrote.

“Unlike Netcat, GSocket provides features such as a custom relay or proxy network, encryption, and the ability to use TOR, making it a very capable tool for stealthy C2 communications. To remove evidence of its installation, the LABRAT attacker tried to hide the process.”

The campaign is ongoing and may even be designed to go beyond proxyjacking and cryptomining, given that the backdoor used provides access to compromised systems, the research team concluded.

“Users impacted by CVE-2021-22205 should follow their organization's security incident and disaster recovery processes to deprovision the compromised instance and restore the latest good working backup to a new GitLab instance,” noted a GitLab statement sent to Infosecurity.

“The vulnerability has been patched since 2021 and the impact is on customers who remain on vulnerable versions. We issued a blog post regarding the vulnerability and a forum post about how users can determine if they have been impacted.”

Editorial image credit: T. Schneider /

What’s hot on Infosecurity Magazine?