AhnLab SEcurity intelligence Center (ASEC) has found numerous cases of threat actors attacking vulnerable Korean servers. This post introduces one of the recent case in which the threat actor ‘z0Miner’ attacked Korean WebLogic servers.
z0Miner was first introduced by Tencent Security, a Chinese Internet service provider.
https://s.tencent.com/research/report/1170.html (This link is only available in Chinese.)
These threat actors have a history of distributing miners against vulnerable servers (Atlassian Confluence, Apache ActiveMQ, Log4J, etc.), and they were frequently mentioned in the ASEC blog.
Cases of Attacks Targeting Vulnerable Atlassian Confluence Servers
Apache ActiveMQ Vulnerability (CVE-2023-46604) Continuously Being Exploited in Attacks
Additionally, this threat actor is well-known for using CVE-2020-14882 and CVE-2020-14883 vulnerabilities to attack WebLogic servers.
On January 26, 2024, AhnLab found cases in which ‘z0Miner threat actors’ distributed malware to Korean WebLogic server system. The threat actor’s method to download malicious files differed by the OS system. They used powershell.exe and certutil.exe against Windows, and used the curl command against Linux.
The cases found this time are vastly different from cases found overseas.
1) The threat actors dominated vulnerable Korean web servers, then used them as download servers. 2) Found evidences of using network tools such as FRP, NetCat, and AnyDesk. |
1. Exploitation of Korean Web Servers
As shown in the figure below, the threat actors dominated the normal web servers and used them as download servers to distribute malware such as miner, network tools, and scripts needed for attacks. Below are the Korean servers exploited by the attacker.
As these exploited servers have their server information exposed (Apache-Coyote/1.1), it was possible to specify the exact versions. As for these poorly managed servers, Tomcat’s detailed version (Apache Tomcat/5.0.28) was also found.
2. Attacks Against Windows
2.1. WebShell
The threat actor used WebLogic vulnerabilities such as CVE-2020-14882 to upload JSP WebShell. When WebShell is installed in a system, it can maintain persistence and control the system. Additionally, the threat actor used three WebShells: JSP File Browser, Shack2, and Behinder. They are likely using multiple types to upload a WebShell which is not detected by anti-malware products.
1) JSP FILE BROWSER (ZUBIN WEBSHELL)
The threat actor used the customized JSP File Browser v1.2 WebShell. The WebShell’s title is “Zubin – Welcome”, password is set to “zubin@666″, and the author’s name is set to the name of the person who customized it. Aside from such partial differences, the WebShell is largely indifferent from previous WebShells.
- private String _password = “zubin@666”;
2) SHACK2
The WebShell is developed by Shack2, and the similar code can be found in Github. The version that the threat actors used is “V1.0-20141106″. ‘IronNet’, a foreign security provider, previously found a case where said WebShell was found in a distribution of z0Miner.
https://www.ironnet.com/blog/continued-exploitation-of-cve-2021-26084
As IronNet stated, interesting information is that only 3 out of 9 features are implemented in the WebShell. Available features are printing computer information such as OS info, using file manager, and running command.
3) BEHINDER
This WebShell is a well-known WebShell that has been frequently used since the past like GodZilla, China Chopper. The threat actor used a WebShell identical to that in the Github Source.
2.2. Fast Reverse Proxy (FRP)
The threat actor used a proxy tool for Remote Desktop Protocol (RDP) communication. The tool used is Fast Reverse Proxy (FRP), and it was introduced multiple times previously in ASEC blog.
The z0Miner threat actor used both the default Frpc and the customized version. The default Frpc loads a settings file in the *.INI form, reads it, and attempts connection, but the customized Frpc can be run without needing to use an individual file because it has configuration data inside the program. The method of customizing and distributing Frpc was found in other threat group cases as well.
The following images show FRP servers and ports of threat actor that the ASEC team procured.
15.235.22[.]212:5690 15.235.22[.]213:59240 |
z0Miner threat actors’ Frpc server & port
2.3. Netcat
Netcat is a utility tool that can read and write data upon network connection, and it was found in many breach cases in the past. Threat actor often use this tool because it provides remote shell feature which allows them to bypass the firewall and get control over the attack target’s system.
This threat actor downloaded Netcat as userinit.exe and executed it as shown in the figure below.
The command is the Reverse Shell command that tells the malware to establish a connection with the given IP and port and upon connection, run the command prompt. Afterward, the threat actor can control the system via command prompts.
107.180.100[.]247:88 |
z0Miner threat actors’ Netcat Server & Port
2.4. AnyDesk
In the case of the Apache ActiveMQ vulnerability (CVE-2023-46604), the threat actor installed Netcat and additionally installed AnyDesk.
The threat actor used the download server (the compromised web server) to load the Powershell script, accessed the official website, and downloaded AnyDesk.
2.5. Miner (XMRig)
The versions of XMRig the threat actor is distributing are different per OS: 6.18.0 for Windows and 6.18.1 for Linux.
To maintain persistence, the threat actor registered WMI’s Event Filter and Consumer or Task Scheduler (schtasks) to read a Powershell script from a certain address of pastebin.com and execute it. The Powershell script, however, did not exist at the time of analysis.
Afterward, the malware begins mining as ‘javae.exe.’
3. Monero Wallet & Mining Pool Address
The following is the config.json that the threat actor uses.
Mining Pool : pool.supportxmr[.]com:443 pool.supportxmr[.]com:80Monero Wallet : 44VkCrG7DkmYCcrNQcBb1QfZ66si2xWqy7HuzgyWLXKy8x3pkzKWxs8TptTNjCS1b2Abm89MuXD1tg81KeRgfP2u3z6f2kP 47y69G6VzipF8ydhXxzRF69e8ys3XrDFjD5SqSM1T8yJGdfHqtRmMA9eQpq8vnWBibhmb35xLAyVpen53hfidLwHDP3NbAm |
z0Miner threat actor’s Monero Wallet & Mining Pool Address
5. Conclusion
Threat actors are continuously attacking WebLogic servers that are vulnerable as they are not patched. As threat actors can steal information and install ransomware by taking control over the infected systems, users must check ports and servers that are not being managed properly. Furthermore, system administrators must check whether the WebLogic services are updated to the latest version, and if not, apply the latest patch to prevent attacks via known vulnerabilities.
User must update V3 to the latest version to block malware infection in advance.
File Detection
– HackTool/Win.Netcat (2022.10.18.03)
– Win-Trojan/Miner3.Exp (2022.06.24.02)
– Downloader/Shell.Miner.SC197168 (2024.02.27.01)
– Data/JSON.Miner (2024.02.27.01)
– Data/JSON.Miner (2024.02.27.01)
– Trojan/PowerShell.Miner (2024.02.27.01)
– Trojan/Script.z0Miner.SC197169 (2024.02.27.01)
– Trojan/Win.FRP (2024.02.27.01)
– Trojan/Shell.Miner.SC197170 (2024.02.27.01)
– Trojan/Shell.Miner.SC197171 (2024.02.27.01)
– Trojan/Shell.Agent.SC197172 (2024.02.27.01)
– Downloader/Shell.Miner.SC197173 (2024.02.27.01)
– WebShell/JSP.Generic.S1866 (2024.02.27.00)
– Linux/CoinMiner.Gen2 (2022.11.24.02)
– WebShell/JSP.FileBrowser.SC197174 (2024.02.27.01)
– WebShell/JSP.Generic.S1957 (2024.02.27.00)
– Trojan/Shell.Agent.SC197175 (2024.02.27.03)
– Downloader/PowerShell.Miner (2024.02.27.03)
– CoinMiner/Shell.Generic.S2078 (2024.02.27.00)
– Downloader/PowerShell.Miner.SC197176 (2024.02.27.01)
IoC
MD5
– 523613a7b9dfa398cbd5ebd2dd0f4f38 : userinit.exe(Netcat)
– 2a0d26b8b02bb2d17994d2a9a38d61db : x.rar(XMRig, exe)
– 4cd78b6cc1e3d3dde3e47852056f78ad : al.txt
– 085c68576c60ca0361b9778268b0b3b9 : (config.json)
– b6aaced82b7c663a5922ce298831885a : (config.json)
– 7b2793902d106ba11d3369dff5799aa5 : cpu.ps1
– ad33f965d406c8f328bd71aff654ec4c : frpc.ini
– 7e5cc9d086c93fa1af1d3453b3c6946e : svcho.exe(frpc)
– e60d8a3f2190d78e94c7b952b72916ac : frp5.exe
– 8434de0c058abb27c928a10b3ab79ff8 : l.txt
– 90b74cdc4b7763c6b25fdcd27f26377f : l.txt
– 83e163afd5993320882452453c214932 : lcpu.txt
– a0766ad196626f28919c904d2ced6c85 : ll.txt
– 903fce58cb4bfc39786c77fe0b5d9486 : pan.rar(Shack2 WebShell)
– c2fb307aee872df475a7345d641d72da : s.rar(XMRig, ELF)
– 88d49dad824344b8d6103c96b4f81d19 : session.rar(Zubin WebShell)
– efc2a705c858ed08a76d20a8f5a11b1b : shell.rar(Behinder WebShell)
– 98e167e7c2999cbea30cc9342e944a4c : solr.sh
– 575575f5b6f9c4f7149ed6d86fb16c0f : st.ps1
– 547c02a9b01194a0fcbfef79aaa52e38 : st2.txt
– fd0fe2a3d154c412be6932e75a9a5ca1 : stt.txt
C&C URL
(Korean web servers exploited and used as download servers are shown only on TIP.)
– 107.180.100[.]247:88
– 15.235.22[.]212:5690
– 15.235.22[.]213:59240
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information
Source: Original Post
“An interesting youtube video that may be related to the article above”