z0Miner Exploits Korean Web Servers to Attack WebLogic Server

AhnLab SEcurity intelligence Center (ASEC) has found numerous cases of threat actors attacking vulnerable Korean servers. This post introduces one of the recent case in which the threat actor ‘z0Miner’ attacked Korean WebLogic servers.

z0Miner was first introduced by Tencent Security, a Chinese Internet service provider.

https://s.tencent.com/research/report/1170.html (This link is only available in Chinese.)

These threat actors have a history of distributing miners against vulnerable servers (Atlassian Confluence, Apache ActiveMQ, Log4J, etc.), and they were frequently mentioned in the ASEC blog.

Cases of Attacks Targeting Vulnerable Atlassian Confluence Servers

Apache ActiveMQ Vulnerability (CVE-2023-46604) Continuously Being Exploited in Attacks

Additionally, this threat actor is well-known for using CVE-2020-14882 and CVE-2020-14883 vulnerabilities to attack WebLogic servers.

On January 26, 2024, AhnLab found cases in which ‘z0Miner threat actors’ distributed malware to Korean WebLogic server system. The threat actor’s method to download malicious files differed by the OS system. They used powershell.exe and certutil.exe against Windows, and used the curl command against Linux.

The cases found this time are vastly different from cases found overseas.

1. Exploitation of Korean Web Servers

As shown in the figure below, the threat actors dominated the normal web servers and used them as download servers to distribute malware such as miner, network tools, and scripts needed for attacks. Below are the Korean servers exploited by the attacker.

Figure 1. Korean web servers exploited by the attacker

As these exploited servers have their server information exposed (Apache-Coyote/1.1), it was possible to specify the exact versions. As for these poorly managed servers, Tomcat’s detailed version (Apache Tomcat/5.0.28) was also found.

Figure 2. The web servers’ response header (Apache-Coyote/1.1)

2. Attacks Against Windows

2.1. WebShell

The threat actor used WebLogic vulnerabilities such as CVE-2020-14882 to upload JSP WebShell. When WebShell is installed in a system, it can maintain persistence and control the system. Additionally, the threat actor used three WebShells: JSP File Browser, Shack2, and Behinder. They are likely using multiple types to upload a WebShell which is not detected by anti-malware products.

Figure 3. Upload logs of WebShell (Source: Ahnlab Smart Defense (ASD) service)

1) JSP FILE BROWSER (ZUBIN WEBSHELL)

Figure 4. WebShell used by the threat actor (1)

The threat actor used the customized JSP File Browser v1.2 WebShell. The WebShell’s title is “Zubin – Welcome”, password is set to “zubin@666″, and the author’s name is set to the name of the person who customized it. Aside from such partial differences, the WebShell is largely indifferent from previous WebShells.

Figure 5. Customized WebShell (Zubin)

• private String _password = “zubin@666”;

2) SHACK2

The WebShell is developed by Shack2, and the similar code can be found in Github. The version that the threat actors used is “V1.0-20141106″. ‘IronNet’, a foreign security provider, previously found a case where said WebShell was found in a distribution of z0Miner.

https://www.ironnet.com/blog/continued-exploitation-of-cve-2021-26084

Figure 6. WebShell used by the threat actor (2)

As IronNet stated, interesting information is that only 3 out of 9 features are implemented in the WebShell. Available features are printing computer information such as OS info, using file manager, and running command.

Figure 7. 3 features of Shack2 WebShell

3) BEHINDER

Figure 8. WebShell used by the threat actor (3)

This WebShell is a well-known WebShell that has been frequently used since the past like GodZilla, China Chopper. The threat actor used a WebShell identical to that in the Github Source.

2.2. Fast Reverse Proxy (FRP)

The threat actor used a proxy tool for Remote Desktop Protocol (RDP) communication. The tool used is Fast Reverse Proxy (FRP), and it was introduced multiple times previously in ASEC blog.

• Attackers Using FRP (Fast Reverse Proxy) to Attack Korean Companies
• Dalbit (m00nlight): Chinese Hacker Group’s APT Attack Campaign

The z0Miner threat actor used both the default Frpc and the customized version. The default Frpc loads a settings file in the *.INI form, reads it, and attempts connection, but the customized Frpc can be run without needing to use an individual file because it has configuration data inside the program. The method of customizing and distributing Frpc was found in other threat group cases as well.

• BlueShell Used in APT Attacks Against Korean and Thai Targets

Figure 9. Frpc (svcho.exe) download logs

The following images show FRP servers and ports of threat actor that the ASEC team procured.

Figure 10. Frpc configuration data

z0Miner threat actors’ Frpc server & port

2.3. Netcat

Netcat is a utility tool that can read and write data upon network connection, and it was found in many breach cases in the past. Threat actor often use this tool because it provides remote shell feature which allows them to bypass the firewall and get control over the attack target’s system.

This threat actor downloaded Netcat as userinit.exe and executed it as shown in the figure below.

Figure 11. Reverse Shell command logs of Netcat

The command is the Reverse Shell command that tells the malware to establish a connection with the given IP and port and upon connection, run the command prompt. Afterward, the threat actor can control the system via command prompts.

z0Miner threat actors’ Netcat Server & Port

2.4. AnyDesk

In the case of the Apache ActiveMQ vulnerability (CVE-2023-46604), the threat actor installed Netcat and additionally installed AnyDesk.

• Apache ActiveMQ Vulnerability (CVE-2023-46604) Continuously Being Exploited in Attacks

The threat actor used the download server (the compromised web server) to load the Powershell script, accessed the official website, and downloaded AnyDesk.

Figure 12. Logs for the installation of AnyDesk through Powershell (wshell.exe)

Figure 13. The AnyDesk-installing Powershell code found in a past case

2.5. Miner (XMRig)

The versions of XMRig the threat actor is distributing are different per OS: 6.18.0 for Windows and 6.18.1 for Linux.

Figure 14. XMRig’s version (6.18.0 for Windows)

To maintain persistence, the threat actor registered WMI’s Event Filter and Consumer or Task Scheduler (schtasks) to read a Powershell script from a certain address of pastebin.com and execute it. The Powershell script, however, did not exist at the time of analysis.

Figure 15. WMI’s Event Filter and Consumer for persistence

Afterward, the malware begins mining as ‘javae.exe.’

Figure 16. The Powershell code that downloads the miner

3. Monero Wallet & Mining Pool Address

The following is the config.json that the threat actor uses.

Figure 17. The threat actor’s config.json (wallet address and full address)

z0Miner threat actor’s Monero Wallet & Mining Pool Address

5. Conclusion

Threat actors are continuously attacking WebLogic servers that are vulnerable as they are not patched. As threat actors can steal information and install ransomware by taking control over the infected systems, users must check ports and servers that are not being managed properly. Furthermore, system administrators must check whether the WebLogic services are updated to the latest version, and if not, apply the latest patch to prevent attacks via known vulnerabilities.

User must update V3 to the latest version to block malware infection in advance.

File Detection
– HackTool/Win.Netcat (2022.10.18.03)
– Win-Trojan/Miner3.Exp (2022.06.24.02)
– Downloader/Shell.Miner.SC197168 (2024.02.27.01)
– Data/JSON.Miner (2024.02.27.01)
– Data/JSON.Miner (2024.02.27.01)
– Trojan/PowerShell.Miner (2024.02.27.01)
– Trojan/Script.z0Miner.SC197169 (2024.02.27.01)
– Trojan/Win.FRP (2024.02.27.01)
– Trojan/Shell.Miner.SC197170 (2024.02.27.01)
– Trojan/Shell.Miner.SC197171 (2024.02.27.01)
– Trojan/Shell.Agent.SC197172 (2024.02.27.01)
– Downloader/Shell.Miner.SC197173 (2024.02.27.01)
– WebShell/JSP.Generic.S1866 (2024.02.27.00)
– Linux/CoinMiner.Gen2 (2022.11.24.02)
– WebShell/JSP.FileBrowser.SC197174 (2024.02.27.01)
– WebShell/JSP.Generic.S1957 (2024.02.27.00)
– Trojan/Shell.Agent.SC197175 (2024.02.27.03)
– Downloader/PowerShell.Miner (2024.02.27.03)
– CoinMiner/Shell.Generic.S2078 (2024.02.27.00)
– Downloader/PowerShell.Miner.SC197176 (2024.02.27.01)

IoC
MD5
– 523613a7b9dfa398cbd5ebd2dd0f4f38 : userinit.exe(Netcat)
– 2a0d26b8b02bb2d17994d2a9a38d61db : x.rar(XMRig, exe)
– 4cd78b6cc1e3d3dde3e47852056f78ad : al.txt
– 085c68576c60ca0361b9778268b0b3b9 : (config.json)
– b6aaced82b7c663a5922ce298831885a : (config.json)
– 7b2793902d106ba11d3369dff5799aa5 : cpu.ps1
– ad33f965d406c8f328bd71aff654ec4c : frpc.ini
– 7e5cc9d086c93fa1af1d3453b3c6946e : svcho.exe(frpc)
– e60d8a3f2190d78e94c7b952b72916ac : frp5.exe
– 8434de0c058abb27c928a10b3ab79ff8 : l.txt
– 90b74cdc4b7763c6b25fdcd27f26377f : l.txt
– 83e163afd5993320882452453c214932 : lcpu.txt
– a0766ad196626f28919c904d2ced6c85 : ll.txt
– 903fce58cb4bfc39786c77fe0b5d9486 : pan.rar(Shack2 WebShell)
– c2fb307aee872df475a7345d641d72da : s.rar(XMRig, ELF)
– 88d49dad824344b8d6103c96b4f81d19 : session.rar(Zubin WebShell)
– efc2a705c858ed08a76d20a8f5a11b1b : shell.rar(Behinder WebShell)
– 98e167e7c2999cbea30cc9342e944a4c : solr.sh
– 575575f5b6f9c4f7149ed6d86fb16c0f : st.ps1
– 547c02a9b01194a0fcbfef79aaa52e38 : st2.txt
– fd0fe2a3d154c412be6932e75a9a5ca1 : stt.txt

C&C URL
(Korean web servers exploited and used as download servers are shown only on TIP.)
– 107.180.100[.]247:88
– 15.235.22[.]212:5690
– 15.235.22[.]213:59240

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.