A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities

We have recently observed malicious actors exploiting both recently disclosed and older Oracle WebLogic Server vulnerabilities to deliver cryptocurrency-mining malware. Oracle WebLogic Server is typically used for developing and deploying high-traffic enterprise applications on cloud environments and engineered and conventional systems.

REFERENCE: https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html

TAGS: Kinsing, Malware, Weblogic, CVE-2020-14882, cryptominer, wget, cronjob

MALWARE FAMILY: Kinsing

ATT&CK IDS: T1056 - Input Capture, T1053 - Scheduled Task/Job, T1059 - Command and Scripting Interpreter, T1070 - Indicator Removal on Host, T1190 - Exploit Public-Facing Application, T1222 - File and Directory Permissions Modification, T1496 - Resource Hijacking, T1562 - Impair Defenses

Read More:

https://otx.alienvault.com/pulse/6321e06489cb34a39de8252c