Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Campaign is using a recently released WebLogic exploit to deploy a Monero miner - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Campaign is using a recently released WebLogic exploit to deploy a Monero miner

     In the last couple of days, we received some reports regarding a malicious campaign which is deploying Monero cryptocurrency miners on victim’s machines. After analyzing a compromised environment, it was possible to realize that a critical Oracle WebLogic flaw, for which the exploit was made public a few days ago, is being used.

     The vulnerability (CVE 2017-10271) [1] is present in WebLogic Web Services component (wls-wsat) and, due to improperly user input sanitizing, it may allow an unauthenticated remote attacker to execute remote arbitrary commands with the privileges of the WebLogic server user. 

      The exploit is pretty simple to execute and comes with a Bash script to make it easy to scan for potential victims. The test script basically checks for the string “Web Services” while accessing the URL <HOST>/wls-wsat/CoordinatorPortType, as seen in the image below.

Figure 1 - Vulnerability check

            The vulnerability affects supported versions,, and and, at least, the unsupported version

            The dropper script used in this campaign, additionally to download and execute the miner, [accidentally] kills the WebLogic service on target machine – and this may have alerted some victims. In Figure 2, a screenshot of part of the script where "pkill" command is called with the argument "$mName", which value was set to "java" at the beginning of the script. So, killing "java" means killing WebLogic as well. 


Figure 2 – Script killing “java”

         In this case, the campaign objective is to mine cryptocurrencies, but, of course, the vulnerability and exploit can be used for other purposes. Check your environment for this vulnerability and, if necessary, apply the patches as soon as possible.

       It is also recommended that you check if a vulnerable environment may have been already compromised. Analyse carefully processes with a high and constant CPU consumption.

          Additionally, try to find rogue cryptocurrencies miners in your network by correlating the network traffic with the new (beta) SANS ISC feed, which contains IP addresses of miner pools [2].

The indicators for this specific campaign are listed below.

IOCs (Indicators of Compromise)



We noticed that IP address was both the source of the attacks and the repository of cryptocurrencies miner’s binaries.

Hashes (MD5)



Special thanks to Diego Piffaretti and Victor Matuk for collaborating with me on this analysis.



Renato Marinho
Morphus Labs | LinkedIn | Twitter


34 Posts
ISC Handler
Your link is missing the 'l' at the end. The correct link is

Very nice article.

Below some IPs and hashes find in web-servers. Feel free to lock them and add hashes to your security stuffs: (Google)
->file *
1.txt: ASCII text, with CRLF line terminators
auto-upgeade.exe: PE32 executable (GUI) Intel 80386, for MS Windows POSIX shell script, ASCII text executable
javarun2: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
javasvc: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped

->md5sum *
4232b8e092d13b51ae0a033b82e92749 1.txt
9a95a92e79cb11a03678dd8810033281 auto-upgeade.exe
2b28e594d2c3a9418696c75a7c66acaf javarun2
2b28e594d2c3a9418696c75a7c66acaf javasvc

->sha256sum *
68973fba3939698c27cfca482435485981effd74e8b9fee69c325dd96057e333 1.txt
3c38d050e4c6a3dfef061cbdbd682566903ddd141ba890c6c92de93c32a963ee auto-upgeade.exe
580bf9a4f5bd4699fb2521e9bd914fd727a48d349e2d112c1e65017602d9263b javarun2
580bf9a4f5bd4699fb2521e9bd914fd727a48d349e2d112c1e65017602d9263b javasvc
->file *
auto-upgrade: ASCII text
default: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
default?info=w0: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
default?info=w9: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
l_others: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=e67fdc45a7ac6245aa9bb998b42fe7929c8ee141, stripped
readme.txt: ASCII text, with very long lines
robots.txt: ASCII text, with very long lines
setup-watch: ASCII text, with very long lines
w_others: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows

->md5sum *
a2efbab40c9c6dd5df05e9a94d61d14e auto-upgrade
fe4afa2200ce95f008ca631057e8c606 default
fe4afa2200ce95f008ca631057e8c606 default?info=w0
fe4afa2200ce95f008ca631057e8c606 default?info=w9
153b63f648f3d056a298362b037e5045 l_others
fd679aef50b8dd6ba4a459831db716d3 readme.txt
547fba965dbbdbe6e132b8355665194b robots.txt
01d0ae0d9e85dc0a0022b131c5871c71 setup-watch
315e44378af34bb1d6263cd9cf437e45 w_others

->sha256sum *
69461fc9937532f9f909ee3892ddddc3275c103d3876caeb870a4c5df5b39611 auto-upgrade
40c544f56a1ee190982780bfe45ac6db3f3098fddbefef3fb0ca5df7162f8b13 default
40c544f56a1ee190982780bfe45ac6db3f3098fddbefef3fb0ca5df7162f8b13 default?info=w0
40c544f56a1ee190982780bfe45ac6db3f3098fddbefef3fb0ca5df7162f8b13 default?info=w9
2fa9aff8b88be25dde37a0e4da5f915976597d8d80094dafe3efd3ff2b7b758d l_others
0309d20c23c2776c2d38070540147e2bff7379f5bbd9add9e7cc836aff96530f readme.txt
18c27ed7e0037d3c4f3b5c632fa9946e311f306945b7fba8904878ed2d4fae9d robots.txt
47dd2b3592a6cf18ac2694293d47e2801566252230ef62d7e71c3789c8f49da1 setup-watch
d23cd7deef7d360e39c967e9bfe94e54180705081be1f29a0dbd4b3648711f67 w_others
->file *
get.ps1: ASCII text, with CRLF line terminators
one.png: XML document, ASCII text, with CRLF line terminators
reboot.txt: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
rebots: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/, for GNU/Linux 2.6.32, BuildID[sha1]=ed8dd40a4612b8c49d8cd7f24f91e1feb7363b74, stripped ASCII text, with CRLF line terminators

->md5sum *
e9855f63d6363516400642d46645056c get.ps1
32bdce5248b8e711e79dcc1fa2449058 one.png
0769d0b0ce2cf28624180e6ebaf2879f reboot.txt
8df9ec7cd1de78957ea800fd63d66051 rebots

->sha256sum *
0afcc2bb02b101325b819ce882dd999d8e635f63cc3bf479b0e059a47f34522c get.ps1
38f0aa15c887af74f1d64dda59e884565539c15d19007799ea5fdb2bd683f5ae one.png
9ebd532fe016c8ea3849f26273318c26dfd16d6876b2c69ea9ac5b999e1c3d35 reboot.txt
f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5 rebots

Some Anonym contributor.
We had evidence of the same problem. The shell script is obfuscated using base64 but it's to decode.

Sign Up for Free or Log In to start participating in the conversation!