Businesses urged to patch Oracle WebLogic flaw

Cyber criminals are exploiting a vulnerability in unpatched versions of Oracle’s Fusion Middleware to deliver two versions of cryptomining software, security researchers have warned.

As the value of cryptocurrencies has risen, cryptojacking or illicit cryptocurrency mining has become mainstream, potentially surpassing all other cyber crime, according to a recent report.

Once the legitimate software is installed on a target system, that system’s computing resources are hijacked to carry out the complex mathematical calculation that create cryptocurrency, which is then channelled to cryptocurrency wallets controlled by the cyber criminals.

In January 2018, researchers from Morphus Labs reported that cyber criminals were exploiting the Oracle WebLogic flaw (CVE-2017-10271) to mine Monero crypto currency using the XMRig software, despite the fact that Oracle released a security patch for the flaw in October 2017.

Now, researchers from Trend Micro report that the same flaw is being exploited to deliver a 32-bit and a 64-bit version of the XMRig Monero miner to maximise their chances of success.

“Our analysis of the latest payload shows that the architecture of Windows OS plays a part in deciding which coin miner will run,” Trend Micro researchers said in a blog post. “The first Monero miner is a 64-bit variant which will execute on a corresponding 64-bit Windows device. But, if the device is running a 32-bit Windows version, the second coin miner will run instead.”

The researchers note that cryptocurrency mining malware tries to infect as many devices as possible, as it takes an extraordinary amount of computing power to substantially mine any cryptocurrency.

“With two payload systems, both of which are capable of starting automatically and daily, the malware developers of this particular exploit have more chances to infect machines and use them for cryptomining,” the researchers said.

Detected by Trend Micro as Coinminer_MALXMR.JL-PS, the exploit or malware used in this campaign hides some of its installation processes by using the legitimate Microsoft Powershell tool and aims to make the most of the machine it has infected by shutting down other malware.

The exploit specifically targets competitors by terminating spoosvc.exe and deleting the scheduled task “Spooler SubSystem Service”, which is a known behaviour of another cryptocurrency miner detected as TROJ_DLOADR.AUSUHI, the researchers found.

Although the cryptomining activity can make the target system run slower than usual because it is using the system’s central processing unit (CPU) and/or the machine’s graphical processing unit (GPU) resources, the researchers said this may go unnoticed or attributed to other factors.

The researchers warn that businesses should expect more malware variants that aim to hijack their system resources. “Cyber criminals are taking every opportunity and experimenting with new ways to deliver mining malware to users,” they said.

As illustrated by this campaign, regularly patching and updating software are key to mitigating the impact of cryptocurrency malware and other threats that exploit system vulnerabilities.

“IT/system administrators and information security professionals can also consider application whitelisting or similar security mechanisms that prevent suspicious executables from running or installing,” the researchers said.

They also recommend proactively monitoring network traffic helps better identify red flags that may indicate malware infection.