In the last couple of days, we received some reports regarding a malicious campaign which is deploying Monero cryptocurrency miners on victim’s machines. After analyzing a compromised environment, it was possible to realize that a critical Oracle WebLogic flaw, for which the exploit was made public a few days ago, is being used.
The vulnerability (CVE 2017-10271)  is present in WebLogic Web Services component (wls-wsat) and, due to improperly user input sanitizing, it may allow an unauthenticated remote attacker to execute remote arbitrary commands with the privileges of the WebLogic server user.
The exploit is pretty simple to execute and comes with a Bash script to make it easy to scan for potential victims. The test script basically checks for the string “Web Services” while accessing the URL <HOST>/wls-wsat/CoordinatorPortType, as seen in the image below.
The vulnerability affects supported versions 10.3.6.0.0, 220.127.116.11.0, 18.104.22.168.0 and 22.214.171.124.0 and, at least, the unsupported version 10.3.3.0.
The dropper script used in this campaign, additionally to download and execute the miner, [accidentally] kills the WebLogic service on target machine – and this may have alerted some victims. In Figure 2, a screenshot of part of the script where "pkill" command is called with the argument "$mName", which value was set to "java" at the beginning of the script. So, killing "java" means killing WebLogic as well.
Figure 2 – Script killing “java”
In this case, the campaign objective is to mine cryptocurrencies, but, of course, the vulnerability and exploit can be used for other purposes. Check your environment for this vulnerability and, if necessary, apply the patches as soon as possible.
It is also recommended that you check if a vulnerable environment may have been already compromised. Analyse carefully processes with a high and constant CPU consumption.
Additionally, try to find rogue cryptocurrencies miners in your network by correlating the network traffic with the new (beta) SANS ISC feed, which contains IP addresses of miner pools .
The indicators for this specific campaign are listed below.
IOCs (Indicators of Compromise)
We noticed that IP address 126.96.36.199 was both the source of the attacks and the repository of cryptocurrencies miner’s binaries.
Special thanks to Diego Piffaretti and Victor Matuk for collaborating with me on this analysis.
Jan 7th 2018
11 months ago
Your link is missing the 'l' at the end. The correct link is
Jan 8th 2018
11 months ago
Very nice article.
Below some IPs and hashes find in web-servers. Feel free to lock them and add hashes to your security stuffs:
1.txt: ASCII text, with CRLF line terminators
auto-upgeade.exe: PE32 executable (GUI) Intel 80386, for MS Windows
fc.sh: POSIX shell script, ASCII text executable
javarun2: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
javasvc: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
auto-upgrade: ASCII text
default: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
default?info=w0: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
default?info=w9: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
l_others: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=e67fdc45a7ac6245aa9bb998b42fe7929c8ee141, stripped
readme.txt: ASCII text, with very long lines
robots.txt: ASCII text, with very long lines
setup-watch: ASCII text, with very long lines
w_others: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
get.ps1: ASCII text, with CRLF line terminators
one.png: XML document, ASCII text, with CRLF line terminators
reboot.txt: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
rebots: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ed8dd40a4612b8c49d8cd7f24f91e1feb7363b74, stripped
xm.py: ASCII text, with CRLF line terminators
Some Anonym contributor.
Jan 10th 2018
11 months ago
We had evidence of the same problem. The shell script is obfuscated using base64 but it's to decode.
Jan 11th 2018
11 months ago