Rewterz Threat Advisory – A New RAT Exploiting an Old Oracle WebLogic Server Vulnerability

Severity

High

Analysis Summary

A new Golang-written RAT is found targeting devices by using the CVE-2019-2725 (Oracle WebLogic RCE) vulnerability identified last year. Unlike other bots that have exploited this vulnerability, it doesn’t try to install a cryptominer or deploy other malware. This vulnerability was reported to have been a top exploited vulnerability in the wild. 

CVE-2019-2725

A deserialization vulnerability in Oracle WebLogic Server. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Cyber criminals have exploited this to deliver the Sodinokibi and Satan ransomware as well as to install Monero Cryptomining malware. It’s a new malware still in development, and it could go in any direction. The infection payload uses the CVE, giving the attacker access. This particular version was designed to work on Linux and on x86 architecture, but the fact that the RAT is developed in Golang lets the attacker easily compile versions for other operating systems and architectures. The campaign involves downloading the RAT, initializing it and making sure it stays operational. After the infection, the RAT monitors for version changes by interrogating a URL of on the hosting server (`l/sodd/ver‘). The RAT connects to the C2, sending a check-in message containing fingerprinting information for the system, then listens for commands. The data sent back to the operators includes the hardware of the devices, the OS and the IP. Communication with the C2 is encrypted using a simple XOR cipher with key 0x86.

Impact

• Unauthorized Remote Access
• Data Exfiltration

Indicators of Compromise

Hostname

• log[.]conf1g[.]com
• box[.]conf1g[.]com

MD5

• 48f0de466c907cfb202f006bb0ff0d0b
• e5cc6c2f8cda8356b93a3b96e9ea833e
• d7c4c5756a27a301f0da2ef3b5814420
• 69fbdbabb32747158b215089485dd2a2

SHA-256

• 371ce879928eb3f35f77bcb8841e90c5e0257638b67989dc3d025823389b3f79
• 59fa110c24920aacbf668baacadce7154265c2a3dca01d968f21b568bda2130b
• f12f6354e562a85127c69f4948a0324c43fda5fc3699dc703cc5bb1afc05f947
• e0d1a482b4df92def48cf714584fa417ce914b50ee28cc595bbf89bad76429d1

SHA1

• fc594723788c545fae34031ab6abe1e0a727add4
• add4db43896f65d096631bd68aa0d1889a5ff012
• 5b2275e439f1ffe5d321f0275711a7480ec2ac90
• e457b6f24ea5d3f2b5242074f806ecffad9ab207

Source IP

• 185[.]234[.]218[.]247
• 185[.]128[.]41[.]90

URL

• http[:]//box[.]conf1g[.]com/l/sodd/Security[.]Guard
• http[:]//box[.]conf1g[.]com/l/sodd/ver
• http[:]//log[.]conf1g[.]com[:]53
• http[:]//box[.]conf1g[.]com/l/sodd/Security[.]Script

Remediation

• Block the threat indicators at their respective controls.
• Immediately patch all unpatched products affected by this vulnerability.
• Keep all systems and software updated to latest patched versions.