FortiGuard Labs Threat Research

Recent Attack Uses Vulnerability on Confluence Server

By Cara Lin | October 21, 2021

FortiGuard Labs Threat Research Report

Affected platforms: Atlassian’s Confluence
Impacted parties: Confluence Server or Data Center instance
Impact: An OGNL injection vulnerability exists that would allow an unauthenticated user to execute arbitrary code
Severity level: Critical  

Introduction of CVE-2021-26084

In August 2021, Atlassian published a security advisory about CVE-2021-26084 that could enable a threat actor to run arbitrary code on unpatched Confluence Server and Data Center instances. FortiGuard Labs analyzed the situation and published a Threat Signal with relevant information. After releasing the advisory, there occur massive scanning and proof-of-concept exploit code in public. We also collect a lot attacking traffic. In this blog we will analyze the payloads leveraging this vulnerability, deep dive into the attack and summarize the IOCs for these suspicious activities that may hint the network was affected by CVE-2021-26084.

Overview of CVE-2021-26084 Incidents 

In September, we observed numerous threat actors targeting this vulnerability whose goal was to download a malicious payload that would install a backdoor or miner in a user’s network. These threats include Cryptojacking, Setag backdoor, Fileless attack that uses PowerShell in a system to execute shell without file dropped and Muhstik botnet; we will elaborate each of them in this analysis. 

Although there are different attack vectors for this vulnerability, all of these attacks are targeting the parameter “queryString” which is shown in following packet capture:

Fileless attack leverage CVE-2021-26084


After exploiting CVE-2021-26084, it downloads from 86.105.195[.]120. The shell is a crypto miner that includes following tasks:

  1. Delete syslog
  2. Change commonly used command
  3. Stop aliyun services and apparmor
  4. Set the path for miner execution file (zzh) and itself but rename as
  5. Kill all other miner processes
  6. Use crontab to establish persistence
  7. Get scanning shell ( 
  8. Clean the trace 
Payload Exploits CVE-2021-26084

In the scanning shell, it will try to download a scanning tool, like Masscan, Pnscan, etc, which can be used to scan and survey IPv4 TCP network in order to discover live host to proceed the spreading. The downloader path is shown as below. It also downloads a shell that defines specific steps for the scan. First, get the login brute force tool hxx (md5: f0551696774f66ad3485445d9e3f7214) and account/password list ps (md5: a43ad8a740081f0b5a89e219fe8475a3), then scan the subnet belong to private network (,, This is to allow the malware to login into more devices in victim’s intranet and spread miner script (

Downloader path in

Scannng steps in

The entire workflow can be seen below.

Confluence server


The following exploit traffic was observed from IP address (AS 3164 Astimp IT Solution SRL). Setag, also known as BillGates or Ganiw, belongs to a well-known malware family that targets server via 1 day vulnerability. It mainly uses UDP/SYN/ICMP/DNS floods to conduct DDoS attack. But it also has various command can check its own status or control their victims. The command for dos attack or controlling their victims can be seen in following rawdata:


Fileless Attack

The observed packet is from (AS 209588 Flyservers S.A.) and the main payload is b64 encoded. The decoded data is as follow:

First layer decoded data

We can see that the payload is constructed and executed via PowerShell. The final execution will set “WindowStyle” to hidden and “CreateNoWindow” to True, which is to put itself out of sight. We decoded those data in the middle and replace {0} and {1} with “=” and “P”, then 2nd layer payload data

Second layer payload data

It defined two functions, and one variable that contain the main exploit code. After converting the code in $sG, it will use VirtualAlloc to reserve a part of memory. Then it uses CreateThread to invoke the malicious code. So what exactly $sG is? After b64 decoding, we get about 570 bytes binary data as below:

570 bytes binary data

To dive deep in to this, we have to check this binary by IDA. Following the first call into loc_D6, it puts ws2_32 and move edx, 726774ch, and this is the hash value of LoadLibrary function, the detail code is as below:

The hash value of LoadLibrary function

It is a reverse shell meterpreter shellcode that connects to exploit source 141.98.83[.]139 via tcp port 23733. Since the port now is closed, we only managed to capture the following packets. But the entire attack process only leveraged PowerShell to decode layer by layer, and uses hidden window style to hide itself. And finally, create a thread to achieve the reverse shell. Not a single file is dropped in the entire attack, which is known as fileless attack.


By exploiting CVE-2021-26084, it downloads conf2 from 149.28.85[.]17. The file will deploy and execute dk86 from 188.166.137[.]241 and ldm script. The attack scenario afterward is analyzed in this article, but we observed a different server IP and more attack source IP which is intended to spread conf2 of Muhstik.

Different conf2 downloader


We have been tracking this vulnerability for weeks and observing massive threat exploitation targeting Atlassian Confluence. Although the patch for CVE-2021-26084 is already released, public attacks are still undergoing. In this post, we gave detail of those attacks and illustrate how they using the payload to deliver malware, users should upgrade the system immediately and also apply Fortiguard protection to avoid the threat probing.

Fortinet Protections

For vulnerability CVE-2021-26084, Fortinet already release IPS signature Atlassian.Confluence.CVE-2021-26084.Remote.Code.Execution for it to proactive protect our customer. For payloads described are detected and blocked by the FortiGuard AntiVirus.

The downloading URLs and attacker's IP addresses have been rated as "Malicious Websites" by the FortiGuard Web Filtering service.




Cryptojacking expolit source IP address

Cryptojacking dropper hosting IP address










Setag expolit source IP address

Setag dropper hosting IP address



Fileless attack expolit source IP address


2nd layer payload data


Binary shellcode

Muhstik exploit source IP address

Conf2 dropper hosting IP address



Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.

Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security Subscriptions and Services portfolio.