{
  "name": "Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence",
  "slug": "silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence",
  "description": "Trend Micro researchers have identified a new attack vector exploiting CVE-2023-22527 in older versions of Atlassian Confluence Data Center and Server. The attack deploys an in-memory fileless backdoor known as the Godzilla webshell, which uses AES encryption for communication and remains memory-resident to evade disk-based detection. The vulnerability allows unauthenticated attackers to perform remote code execution. The attack chain involves exploiting the vulnerability, loading a loader into the victim server, and activating the Godzilla webshell. This sophisticated Chinese-language backdoor poses significant challenges for legacy anti-virus solutions, highlighting the importance of regular server patching and advanced security measures.",
  "published": "2024-09-02T14:06:14+00:00",
  "created_at": "2024-09-02T14:06:14+00:00",
  "modified_at": "2024-09-02T14:20:55+00:00",
  "created_at_opencti": "2024-09-02T14:06:14+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-09-02",
    "CVE-2023-22527",
    "aes encryption",
    "atlassian confluence",
    "fileless backdoor",
    "godzilla",
    "in-memory",
    "remote code execution"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "ee23bef2-3d59-4acb-834a-d0b0bcb30efc",
        "name": "Godzilla",
        "slug": "godzilla"
      }
    ],
    "attack_patterns": [
      {
        "id": "df616696-8f5b-4044-b5d2-bc727396ba02",
        "name": "T1048.001"
      },
      {
        "id": "beaa4978-0309-438b-a45e-ec566b643811",
        "name": "T1505.003"
      },
      {
        "id": "04005df7-339e-4252-906b-09f91499bd52",
        "name": "T1055.003"
      },
      {
        "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3",
        "name": "T1573.001"
      },
      {
        "id": "2e0c6db7-16a7-4bf6-992e-263474014fce",
        "name": "T1059.004"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2023-22527"
      }
    ]
  },
  "external_refs": [
    "https://www.trendmicro.com/en_us/research/24/h/godzilla-fileless-backdoors.html",
    "https://otx.alienvault.com/pulse/66d5e276e194d3c109dbe575"
  ]
}