LABRAT: Stealthy Cryptojacking and Proxyjacking Campaign Targeting GitLab

The Sysdig Threat Research Team (TRT) uncovered a sophisticated cybercriminal operation named LABRAT, which targets GitLab servers through stealthy cryptojacking and proxyjacking tactics. Differentiating itself from typical attacks, LABRAT employs undetected compiled binaries in Go and .NET, utilizes complex cross-platform malware, and leverages tools like TryCloudFlare to obscure its command and control (C2) infrastructure. The campaign exploits the GitLab vulnerability CVE-2021-22205 to gain access, allowing the attacker to install cryptomining software and use compromised systems for proxyjacking, potentially affecting the reputation and bandwidth of the victims. Furthermore, the attackers employ advanced techniques such as kernel-based rootkits and Global Socket (GSocket) for maintaining backdoor access and evading detection, making it challenging for defenders to identify and mitigate the threat. The operation's financial motivation is clear, but the presence of backdoor access suggests that other malicious activities, like data theft or ransomware, are possible. The continuous updating of tools and tactics by the attackers necessitates constant vigilance and updated threat detection strategies from defenders to effectively counteract and respond to such threats.