Elpaco-Team Leverages Confluence Bug To Deploy Mimic Ransomware Variant

A recent intrusion outlines a multi-stage attack attributed to the ELPACO-team, culminating in the deployment of a Mimic ransomware variant. The entry point was a vulnerable Atlassian Confluence server exposed to internet. Just 62 hours later, adversaries executed the next stage: deploying ELPACO-team ransomware, a Mimic variant, which targeted critical backup and file servers through RDP and SMB shares.

Severity Level: High

INCIDENT OVERVIEW:

• The breach, which took place in early summer of 2024, involved the exploitation of CVE-2023-22527, a template injection vulnerability with a CVSS score reaching 10.0. The flaw affects older versions of the Confluence Data Center and Server (from 8.0.x through 8.4.x, as well as 8.5.0 to 8.5.3), facilitating RCE and unauthorized access.

Attack Flow

1. Initial Access:
   • The infection chain started with the exploitation of CVE-2023-22527 on a Confluence server. Network traffic analysis showed the technique used, with attackers initially issuing a “whoami” command to test access before delivering more harmful payloads.
2. Execution & Persistence:
   • Once inside, adversaries repeatedly executed a set of actions, such as deploying Metasploit payloads, establishing C2 connections, and installing AnyDesk to maintain persistent access.
   • Following this, the attacker used automation scripts to enable Remote Desktop Protocol (RDP), create privileged user accounts, and set access credentials, notably with the password “P@ssword1”.
3. Privilege Escalation:
   • They then escalated privileges, extracted credentials using tools like Mimikatz, enabled RDP access, and moved laterally across the network. Used token duplication from RPCSS for SYSTEM privileges.
   • At the final stages of the attack chain, attackers deployed ELPACO-team ransomware, a known variant of Mimic ransomware. Although the attackers deleted certain event logs, there was no evidence of significant data exfiltration during the attack.
4. Credential Access:
   • Dumped credentials via Mimikatz and secretsdump.py
5. Lateral Movement:
   • Using compromised domain administrator credentials, they performed lateral movement via wmiexec.exe, created new domain users (e.g., “NONAME”), and executed remote shell commands on domain controllers.
6. Command & Control:
   • Following the deployment of a Metasploit Meterpreter payload from 91.191.209[.]46, which established a command-and-control channel.
   • A key detail of the campaign was the reuse of a single IP address (45.227.254[.]124) for both scanning for vulnerabilities and later serving as a self-hosted AnyDesk server, pointing to a deliberately prepared malicious infrastructure.

Affected Regions

• While the report does not specify geographic targeting, the tactics and tools used—especially targeting publicly accessible Confluence servers—suggest a global threat scope. Organizations in any region operating unpatched Confluence instances on internet-facing infrastructure are at risk. The use of AnyDesk and common vulnerabilities also points to opportunistic targeting rather than specific geopolitical motives.

Affected Sectors

This attack primarily targets organizations that maintain unpatched Confluence instances, which are common across multiple sectors. Based on the infrastructure and technology stack involved, the most at-risk sectors include:

• Information Technology Services – often rely on Atlassian tools internally and for client operations.
• Government Agencies – which may use Confluence for internal documentatin and collaboration.
• Higher Education and Research Institutions – frequently deploy open-source and self-hosted platforms.
• Healthcare Providers – with constrained patching cycles and complex IT environments.
• Small and Medium Businesses (SMBs) and large Enterprises alike, particularly those lacking robust patch management or EDR coverage.

Recommendations:

1. Restrict RDP and remote tool access (e.g., AnyDesk) via firewall and EDR.
2. Enforce MFA for privileged accounts.
3. Monitor for unexpected admin account creation or RDP configuration changes.
4. Immediately patch Confluence servers for CVE-2023-22527.
5. Address known print spooler vulnerabilities (CVE-2021-34527).
6. Watch for creation of files like MIMIC_LOG.txt and DLL drops in Temp.
7. Correlate logs for process access to lsass.exe and use of tools like Mimikatz.
8. Validate backup integrity and ensure ransomware restoration readiness.
9. Block the IOCs at their respective controls. https://www.virustotal.com/gui/collection/fa26f685e1081eb56b76d824ea0c492ac40269236137ffb677af674c8d80999c/iocs

Source:

• https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.