GhostMiner Fileless Malware Targets WebLogic Servers

Oracle WebLogic WLS-WSAT vulnerability CVE-2017-10271 is currently being exploited to deliver a fileless cryptocurrency miner to vulnerable servers. Security researchers with Minerva Labs detected the malware, dubbed GhostMiner, which uses two PowerShell scripts to infect victims with a variant of the XMRig Monero miner. Once executed, GhostMiner will terminate any other cryptocurrency miners detected on the same host. At the time of writing, GhostMiner has reportedly generated 1.03 Monero, the equivalent of approximately $200 USD. The NJCCIC recommends reviewing the Minerva report for additional information and Indicators of Compromise (IoCs). Additionally, we recommend all users and administrators of systems using Oracle products review their website for any necessary updates. For additional information about fileless intrusions, please review the NJCCIC Threat Analysis product titled Fileless: Evasive Intrusion Tactics Pose Challenge for Network Defense.