Oracle vulnerability exploited to deliver dual Monero miners

Trend Micro security researchers have spotted an Oracle vulnerability that is being abused to deliver dual Monero miner malware.

The Oracle WebLogic WLS-WSAT vulnerability (CVE-2017-10271) allows remote code execution and was patched by Oracle back in October.

When the vulnerability CVE-2017-10271 is exploited successfully, hackers then deliver two different cryptocurrency miner variants of XMRig Monero (32-bit and 64-bit). If one variant is not successful, it will attempt to install the other based on the Windows 32 or 64 bit version running on the target system.

What is also interesting is this miner also attempts to shut down other types of malware, in an effort to take full advantage of the victim computer’s processing power. 

System admins should be aware the miner malware infections can cause systems to run abnormally slow, given it takes a tremendous amount of computing power to significantly mine any cryptocurrency. 

“Cryptocurrency miners have been on the rise since mid-2017, and users should expect more malware variants that aim to hijack their system resources. Cybercriminals are taking every opportunity and experimenting with new ways to deliver mining malware to users,” Trend Micro warned in the report

Admins should ensure systems are fully patched to mitigate the threat and carefully monitor systems for any unauthorized software installed. 

Leave a Reply