Hackers Hijacking Web Server To Deploy z0Miner Malware

by Esmeralda McKenzie
Hackers Hijacking Web Server To Deploy z0Miner Malware

Hackers Hijacking Web Server To Deploy z0Miner Malware

Hackers Hijacking Web Server To Deploy z0Miner Malware

The possibility actor, who goes by the name “z0miner,” has been stumbled on to be attacking Korean WebLogic servers to distribute malware cherish miners, network tools, and scripts for attacking additional.

This possibility actor has a history of attacking vulnerable servers equivalent to Atlassian Confluence, Apache ActiveMQ, Log4j, and quite a lot of more.

EHA

Researchers at Tencent first stumbled on this possibility actor in 2020. The “z0miner” possibility actor is infamous for exploiting CVE-2020-14882 and CVE-2020-14883 against Oracle WebLogic servers.

Nonetheless, primarily primarily based on ASEC researchers, their most smartly-liked targets respect been Korean WebLogic servers, and a total lot of different traces of tools equivalent to FRP (Swiftly Reverse Proxy), NetCat, and AnyDesk respect been characterize.

Doc

Combine ANY.RUN to your firm for Efficient Malware Evaluation

Are you from SOC and DFIR teams? – Join With 400,000 self reliant Researchers

Malware prognosis may even be quick and simple. Moral enable us to characterize you the capacity to:

  • Have interaction with malware safely
  • Dispute up digital machine in Linux and all Windows OS versions
  • Work in a crew
  • Get detailed reports with maximum data
  • If you happen to are looking to test all these facets now with fully free access to the sandbox: ..

Technical Evaluation

Per reports shared with Cyber Security News, the possibility actor exploited these Korean WebLogic servers attributable to miserable safety configuration and the favored publicity of server data.

The possibility actor may peep the Tomcat model and server model of these servers.

As soon as this recordsdata was gathered, the possibility actors smartly-liked a total lot of tools, equivalent to WebShell, FRP, and NetCat, to additional exploit it.

Capture%20(13)
Exploited servers (Source: AhnLab)

Exploitation Concepts

WebShell

The possibility actor utilized the WebLogic vulnerability CVE-2020-14882 to upload a JSP webshell on the vulnerable machine, enabling persistence and care for an eye fixed on over the machine.

Three webshells, equivalent to JSP file Browser, Shack2, and Behinder, respect been deployed. Moreover, none of these webshells respect been detected by anti-malware products.

Capture%20(14)
Webshell (Source: AhnLab)

Swiftly Reverse Proxy (FRP)

This tool was smartly-liked for RDP (A long way away Desktop Verbal change) protocol verbal change. Additionally, both the default frpc to boot to a customised model respect been smartly-liked.

The default frpc hundreds a settings file within the *.INI create and makes an strive the connection, while the customized frpc may even be flee without using an individual file.

Capture%20(15)
FRP Get (Source: AhnLab)

NetCat

Netcat is in a position to studying and writing data over a network connection and has been characterize in quite a lot of webshells.

The tools present a faraway shell function, which enables them to avoid the firewall and salvage care for an eye fixed on over the centered machine.

Capture%20(16)
Netcat utilized as “userinit.exe” ((Source: AhnLab)

Miner (XMRig)

The versions of XMRig smartly-liked by z0miner are quite a pair of for Windows and Linux. XMRig 6.18.0 was smartly-liked in Windows, and 6.18.1 was smartly-liked for Linux.

To connect persistence with Miner, the possibility actor smartly-liked the Assignment Scheduler (schtasks) or WMI’s match filter and configured it to be taught a PowerShell script from a obvious Pastebin address and build it.

Capture%20(17)
XMRig (Source: AhnLab)

The possibility actor additionally smartly-liked the Monero Pockets and Mining Pool address.

AnyDesk was additionally one of the most tools smartly-liked by the possibility actor as piece of the webshell but finest smartly-liked in conditions where the Apache ActiveMQ vulnerability (CVE-2023-46604) is exploited.

Indicators Of Compromise

File Detection

  • HackTool/Rating.Netcat (2022.10.18.03)
  • Rating-Trojan/Miner3.Exp (2022.06.24.02)
  • Downloader/Shell.Miner.SC197168 (2024.02.27.01)
  • Details/JSON.Miner (2024.02.27.01)
  • Details/JSON.Miner (2024.02.27.01)
  • Trojan/PowerShell.Miner (2024.02.27.01)
  • Trojan/Script.z0Miner.SC197169 (2024.02.27.01)
  • Trojan/Rating.FRP (2024.02.27.01)
  • Trojan/Shell.Miner.SC197170 (2024.02.27.01)
  • Trojan/Shell.Miner.SC197171 (2024.02.27.01)
  • Trojan/Shell.Agent.SC197172 (2024.02.27.01)
  • Downloader/Shell.Miner.SC197173 (2024.02.27.01)
  • WebShell/JSP.Generic.S1866 (2024.02.27.00)
  • Linux/CoinMiner.Gen2 (2022.11.24.02)
  • WebShell/JSP.FileBrowser.SC197174 (2024.02.27.01)
  • WebShell/JSP.Generic.S1957 (2024.02.27.00)
  • Trojan/Shell.Agent.SC197175 (2024.02.27.03)
  • Downloader/PowerShell.Miner (2024.02.27.03)
  • CoinMiner/Shell.Generic.S2078 (2024.02.27.00)
  • Downloader/PowerShell.Miner.SC197176 (2024.02.27.01)

MD5

  • 523613a7b9dfa398cbd5ebd2dd0f4f38 : userinit.exe(Netcat)
  • 2a0d26b8b02bb2d17994d2a9a38d61db : x.rar(XMRig, exe)
  • 4cd78b6cc1e3d3dde3e47852056f78ad : al.txt
  • 085c68576c60ca0361b9778268b0b3b9 : (config.json)
  • b6aaced82b7c663a5922ce298831885a : (config.json)
  • 7b2793902d106ba11d3369dff5799aa5 : cpu.ps1
  • ad33f965d406c8f328bd71aff654ec4c : frpc.ini
  • 7e5cc9d086c93fa1af1d3453b3c6946e : svcho.exe(frpc)
  • e60d8a3f2190d78e94c7b952b72916ac : frp5.exe
  • 8434de0c058abb27c928a10b3ab79ff8 : l.txt
  • 90b74cdc4b7763c6b25fdcd27f26377f : l.txt
  • 83e163afd5993320882452453c214932 : lcpu.txt
  • a0766ad196626f28919c904d2ced6c85 : ll.txt
  • 903fce58cb4bfc39786c77fe0b5d9486 : pan.rar(Shack2 WebShell)
  • c2fb307aee872df475a7345d641d72da : s.rar(XMRig, ELF)
  • 88d49dad824344b8d6103c96b4f81d19 : session.rar(Zubin WebShell)
  • efc2a705c858ed08a76d20a8f5a11b1b : shell.rar(Behinder WebShell)
  • 98e167e7c2999cbea30cc9342e944a4c : solr.sh
  • 575575f5b6f9c4f7149ed6d86fb16c0f : st.ps1
  • 547c02a9b01194a0fcbfef79aaa52e38 : st2.txt
  • fd0fe2a3d154c412be6932e75a9a5ca1 : stt.txt

C&C URL

(Korean net servers exploited and smartly-liked as download servers are shown finest on TIP.)

  • 107.180.100[.]247:88
  • 15.235.22[.]212:5690
  • 15.235.22[.]213:59240

With Perimeter81 malware protection, chances are high you’ll presumably block malware, including Trojans, ransomware, adware, rootkits, worms, and nil-day exploits. All are incredibly snide and may wreak havoc on your network.

Preserve up to this point on Cybersecurity recordsdata, Whitepapers, and Infographics. Apply us on LinkedIn & Twitter.

Source credit : cybersecuritynews.com

Related Posts