Cryptocurrency-Mining Campaign Exploits Oracle Server Vulnerability

Oracle WebLogic WLS-WSAT vulnerability CVE-2017-10271, for which a patch was released in October 2017, is currently being exploited to deliver two different cryptocurrency miners, a 64-bit and 32-bit variant of the XMRig Monero miner. The malware is delivered to the target system through remote execution of three malicious files consisting of a 32-bit coin miner file, 64-bit coin miner file, and a startup file. The malware chooses which coin miner file to use based on the Windows OS version, and then creates two different scheduled tasks on the affected machine. The first scheduled task is named “Oracle Java Update”, which executes every 80 minutes, starting the mining process. The second scheduled task executes daily and terminates the first mining task. The NJCCIC recommends reviewing the TrendMicro report for additional information and Indicators of Compromise (IoCs). Additionally, we recommend all users and administrators of systems using Oracle products to review Oracle’s website for the necessary updates.