Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Campaign is using a recently released WebLogic exploit to deploy a Monero miner - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Campaign is using a recently released WebLogic exploit to deploy a Monero miner

     In the last couple of days, we received some reports regarding a malicious campaign which is deploying Monero cryptocurrency miners on victim’s machines. After analyzing a compromised environment, it was possible to realize that a critical Oracle WebLogic flaw, for which the exploit was made public a few days ago, is being used.

     The vulnerability (CVE 2017-10271) [1] is present in WebLogic Web Services component (wls-wsat) and, due to improperly user input sanitizing, it may allow an unauthenticated remote attacker to execute remote arbitrary commands with the privileges of the WebLogic server user. 

      The exploit is pretty simple to execute and comes with a Bash script to make it easy to scan for potential victims. The test script basically checks for the string “Web Services” while accessing the URL <HOST>/wls-wsat/CoordinatorPortType, as seen in the image below.

            
Figure 1 - Vulnerability check

            The vulnerability affects supported versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0 and, at least, the unsupported version 10.3.3.0.

            The dropper script used in this campaign, additionally to download and execute the miner, [accidentally] kills the WebLogic service on target machine – and this may have alerted some victims. In Figure 2, a screenshot of part of the script where "pkill" command is called with the argument "$mName", which value was set to "java" at the beginning of the script. So, killing "java" means killing WebLogic as well. 

 

Figure 2 – Script killing “java”

         In this case, the campaign objective is to mine cryptocurrencies, but, of course, the vulnerability and exploit can be used for other purposes. Check your environment for this vulnerability and, if necessary, apply the patches as soon as possible.

       It is also recommended that you check if a vulnerable environment may have been already compromised. Analyse carefully processes with a high and constant CPU consumption.

          Additionally, try to find rogue cryptocurrencies miners in your network by correlating the network traffic with the new (beta) SANS ISC feed, which contains IP addresses of miner pools [2].

The indicators for this specific campaign are listed below.

IOCs (Indicators of Compromise)

Network

hxxp://165.227.215.25/
hxxp://165.227.215.25/xmrig-y
hxxps://165.227.215.25/xmrig-y
hxxp://165.227.215.25/java_infected
hxxp://165.227.215.25/xmrig-y%20$mName
hxxp://165.227.215.25/5555
hxxp://165.227.215.25/xmrig-aeon.exe
hxxp://165.227.215.25/xmrig-y.exe
hxxp://165.227.215.25/xmrig-y%20$
hxxp://165.227.215.25/xmrig

We noticed that IP address 165.227.215.25 was both the source of the attacks and the repository of cryptocurrencies miner’s binaries.

Hashes (MD5)

0e0ad37bc72453e4ec2a6029517a8edd
44d3ea4f3542f246a5535c9f114fbb09

Acknowledges

Special thanks to Diego Piffaretti and Victor Matuk for collaborating with me on this analysis.

References

[1] http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htm
[2] https://isc.sans.edu/api/threatlist/miner

--
Renato Marinho
Morphus Labs | LinkedIn | Twitter

Renato

23 Posts
ISC Handler
Your link is missing the 'l' at the end. The correct link is
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Anonymous
Posts
Hi,

Very nice article.

Below some IPs and hashes find in web-servers. Feel free to lock them and add hashes to your security stuffs:

122.10.88.136
148.153.34.90
165.227.215.25
188.69.199.59
191.101.180.84
195.154.38.77
207.246.125.40
207.246.68.21
35.194.156.203 (Google)
45.123.190.147
45.77.245.237
47.52.226.117
61.132.253.189
67.21.81.194
72.11.140.178

195.154.38.77
->file *
1.txt: ASCII text, with CRLF line terminators
auto-upgeade.exe: PE32 executable (GUI) Intel 80386, for MS Windows
fc.sh: POSIX shell script, ASCII text executable
javarun2: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
javasvc: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped

->md5sum *
4232b8e092d13b51ae0a033b82e92749 1.txt
9a95a92e79cb11a03678dd8810033281 auto-upgeade.exe
cf51d563c00cf44488764d36f836c2d0 fc.sh
2b28e594d2c3a9418696c75a7c66acaf javarun2
2b28e594d2c3a9418696c75a7c66acaf javasvc

->sha256sum *
68973fba3939698c27cfca482435485981effd74e8b9fee69c325dd96057e333 1.txt
3c38d050e4c6a3dfef061cbdbd682566903ddd141ba890c6c92de93c32a963ee auto-upgeade.exe
57e9ec6d880308ac53d1ad9d01b4114a19152e99ae904a845b4376ed3a5734b7 fc.sh
580bf9a4f5bd4699fb2521e9bd914fd727a48d349e2d112c1e65017602d9263b javarun2
580bf9a4f5bd4699fb2521e9bd914fd727a48d349e2d112c1e65017602d9263b javasvc


72.11.140.178
->file *
auto-upgrade: ASCII text
default: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
default?info=w0: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
default?info=w9: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
l_others: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=e67fdc45a7ac6245aa9bb998b42fe7929c8ee141, stripped
readme.txt: ASCII text, with very long lines
robots.txt: ASCII text, with very long lines
setup-watch: ASCII text, with very long lines
w_others: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows

->md5sum *
a2efbab40c9c6dd5df05e9a94d61d14e auto-upgrade
fe4afa2200ce95f008ca631057e8c606 default
fe4afa2200ce95f008ca631057e8c606 default?info=w0
fe4afa2200ce95f008ca631057e8c606 default?info=w9
153b63f648f3d056a298362b037e5045 l_others
fd679aef50b8dd6ba4a459831db716d3 readme.txt
547fba965dbbdbe6e132b8355665194b robots.txt
01d0ae0d9e85dc0a0022b131c5871c71 setup-watch
315e44378af34bb1d6263cd9cf437e45 w_others

->sha256sum *
69461fc9937532f9f909ee3892ddddc3275c103d3876caeb870a4c5df5b39611 auto-upgrade
40c544f56a1ee190982780bfe45ac6db3f3098fddbefef3fb0ca5df7162f8b13 default
40c544f56a1ee190982780bfe45ac6db3f3098fddbefef3fb0ca5df7162f8b13 default?info=w0
40c544f56a1ee190982780bfe45ac6db3f3098fddbefef3fb0ca5df7162f8b13 default?info=w9
2fa9aff8b88be25dde37a0e4da5f915976597d8d80094dafe3efd3ff2b7b758d l_others
0309d20c23c2776c2d38070540147e2bff7379f5bbd9add9e7cc836aff96530f readme.txt
18c27ed7e0037d3c4f3b5c632fa9946e311f306945b7fba8904878ed2d4fae9d robots.txt
47dd2b3592a6cf18ac2694293d47e2801566252230ef62d7e71c3789c8f49da1 setup-watch
d23cd7deef7d360e39c967e9bfe94e54180705081be1f29a0dbd4b3648711f67 w_others

122.10.88.136
->file *
get.ps1: ASCII text, with CRLF line terminators
one.png: XML document, ASCII text, with CRLF line terminators
reboot.txt: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
rebots: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ed8dd40a4612b8c49d8cd7f24f91e1feb7363b74, stripped
xm.py: ASCII text, with CRLF line terminators

->md5sum *
e9855f63d6363516400642d46645056c get.ps1
32bdce5248b8e711e79dcc1fa2449058 one.png
0769d0b0ce2cf28624180e6ebaf2879f reboot.txt
8df9ec7cd1de78957ea800fd63d66051 rebots
47b3a0edb784dc2fafe2a204a7828273 xm.py

->sha256sum *
0afcc2bb02b101325b819ce882dd999d8e635f63cc3bf479b0e059a47f34522c get.ps1
38f0aa15c887af74f1d64dda59e884565539c15d19007799ea5fdb2bd683f5ae one.png
9ebd532fe016c8ea3849f26273318c26dfd16d6876b2c69ea9ac5b999e1c3d35 reboot.txt
f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5 rebots
1aab05c6d6beef8bbc693698bf0a7205f06f7fd0928cbe9a35246157f9df8ce1 xm.py

Enjoy.
Some Anonym contributor.
Anonymous
Posts
We had evidence of the same problem. The shell script is obfuscated using base64 but it's to decode.
Anonymous
Posts

Sign Up for Free or Log In to start participating in the conversation!