Oracle Server Vulnerability Exploited to Deliver Double Monero Miner Payloads[trendmicro]

The sudden rise of cryptocurrency triggered a shift in the target landscape. Cybercriminals started adapting and using their resources to try acquiring cryptocurrencies, whether through pursuing repositories like Bitcoin wallets or by compromising networks and devices to mine the currency. This isn’t completely new — ransomware authors have been using bitcoin as their preferred currency for years. But more recently, we saw examples of cryptocurrency miners in late October of 2017 when coin miner mobile malware appeared on popular app stores, and in December 2017 when the Digmine cryptocurrency miner was spreading through social media messaging apps.

Now, CVE-2017-10271, a patched Oracle WebLogic WLS-WSAT vulnerability that allows for remote code execution, is being abused to deliver two different cryptocurrency miners: a 64-bit variant and a 32-bit variant of an XMRig Monero miner. If one version is not compatible with the Windows computer that is infected, then the other will run. Figure 1 shows that the code for the exploit is still being developed. This report analyzes the latest version.

For more, click here.