Hackers Hijacking Web Server To Deploy z0Miner Malware

The threat actor, who goes by the name “z0miner,” has been found to be attacking Korean WebLogic servers to distribute malware like miners, network tools, and scripts for attacking further.

This threat actor has a history of attacking vulnerable servers such as Atlassian Confluence, Apache ActiveMQ, Log4j, and many more.

Researchers at Tencent first discovered this threat actor in 2020. The “z0miner” threat actor is well-known for exploiting CVE-2020-14882 and CVE-2020-14883 against Oracle WebLogic servers.

However, according to ASEC researchers, their latest targets were Korean WebLogic servers, and several traces of tools such as FRP (Fast Reverse Proxy), NetCat, and AnyDesk were present.

Document

Integrate ANY.RUN in your company for Effective Malware Analysis

Malware analysis can be fast and simple. Just let us show you the way to:

Interact with malware safely
Set up virtual machine in Linux and all Windows OS versions
Work in a team
Get detailed reports with maximum data

If you want to test all these features now with completely free access to the sandbox: ..

Technical Analysis

According to reports shared with Cyber Security News, the threat actor exploited these Korean WebLogic servers due to poor security configuration and the widespread exposure of server information.

The threat actor could discover the Tomcat version and server version of these servers.

Once this information was gathered, the threat actors used several tools, such as WebShell, FRP, and NetCat, to further exploit it.

Exploitation Methods

WebShell

The threat actor utilized the WebLogic vulnerability CVE-2020-14882 to upload a JSP webshell on the vulnerable system, enabling persistence and control over the system.

Three webshells, such as JSP file Browser, Shack2, and Behinder, were deployed. Moreover, none of these webshells were detected by anti-malware products.

Fast Reverse Proxy (FRP)

This tool was used for RDP (Remote Desktop Communication) protocol communication. Additionally, both the default frpc as well as a customized version were used.

The default frpc loads a settings file in the *.INI form and attempts the connection, while the customized frpc can be run without using an individual file.

NetCat

Netcat is capable of reading and writing data over a network connection and has been found in many webshells.

The tools provide a remote shell feature, which allows them to bypass the firewall and get control over the targeted system.

Netcat implemented as “userinit.exe” ((Source: AhnLab)

Miner (XMRig)

The versions of XMRig used by z0miner are different for Windows and Linux. XMRig 6.18.0 was used in Windows, and 6.18.1 was used for Linux.

To establish persistence with Miner, the threat actor used the Task Scheduler (schtasks) or WMI’s event filter and configured it to read a PowerShell script from a certain Pastebin address and execute it.

The threat actor also used the Monero Wallet and Mining Pool address.

AnyDesk was also one of the tools used by the threat actor as part of the webshell but only used in cases where the Apache ActiveMQ vulnerability (CVE-2023-46604) is exploited.

Indicators Of Compromise

File Detection

HackTool/Win.Netcat (2022.10.18.03)
Win-Trojan/Miner3.Exp (2022.06.24.02)
Downloader/Shell.Miner.SC197168 (2024.02.27.01)
Data/JSON.Miner (2024.02.27.01)
Data/JSON.Miner (2024.02.27.01)
Trojan/PowerShell.Miner (2024.02.27.01)
Trojan/Script.z0Miner.SC197169 (2024.02.27.01)
Trojan/Win.FRP (2024.02.27.01)
Trojan/Shell.Miner.SC197170 (2024.02.27.01)
Trojan/Shell.Miner.SC197171 (2024.02.27.01)
Trojan/Shell.Agent.SC197172 (2024.02.27.01)
Downloader/Shell.Miner.SC197173 (2024.02.27.01)
WebShell/JSP.Generic.S1866 (2024.02.27.00)
Linux/CoinMiner.Gen2 (2022.11.24.02)
WebShell/JSP.FileBrowser.SC197174 (2024.02.27.01)
WebShell/JSP.Generic.S1957 (2024.02.27.00)
Trojan/Shell.Agent.SC197175 (2024.02.27.03)
Downloader/PowerShell.Miner (2024.02.27.03)
CoinMiner/Shell.Generic.S2078 (2024.02.27.00)
Downloader/PowerShell.Miner.SC197176 (2024.02.27.01)

MD5

523613a7b9dfa398cbd5ebd2dd0f4f38 : userinit.exe(Netcat)
2a0d26b8b02bb2d17994d2a9a38d61db : x.rar(XMRig, exe)
4cd78b6cc1e3d3dde3e47852056f78ad : al.txt
085c68576c60ca0361b9778268b0b3b9 : (config.json)
b6aaced82b7c663a5922ce298831885a : (config.json)
7b2793902d106ba11d3369dff5799aa5 : cpu.ps1
ad33f965d406c8f328bd71aff654ec4c : frpc.ini
7e5cc9d086c93fa1af1d3453b3c6946e : svcho.exe(frpc)
e60d8a3f2190d78e94c7b952b72916ac : frp5.exe
8434de0c058abb27c928a10b3ab79ff8 : l.txt
90b74cdc4b7763c6b25fdcd27f26377f : l.txt
83e163afd5993320882452453c214932 : lcpu.txt
a0766ad196626f28919c904d2ced6c85 : ll.txt
903fce58cb4bfc39786c77fe0b5d9486 : pan.rar(Shack2 WebShell)
c2fb307aee872df475a7345d641d72da : s.rar(XMRig, ELF)
88d49dad824344b8d6103c96b4f81d19 : session.rar(Zubin WebShell)
efc2a705c858ed08a76d20a8f5a11b1b : shell.rar(Behinder WebShell)
98e167e7c2999cbea30cc9342e944a4c : solr.sh
575575f5b6f9c4f7149ed6d86fb16c0f : st.ps1
547c02a9b01194a0fcbfef79aaa52e38 : st2.txt
fd0fe2a3d154c412be6932e75a9a5ca1 : stt.txt

C&C URL

(Korean web servers exploited and used as download servers are shown only on TIP.)

107.180.100[.]247:88
15.235.22[.]212:5690
15.235.22[.]213:59240

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Read the full article here