• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2020-9746 – Adobe Flash Player Code Execution Vulnerability
October 14, 2020
Rewterz Threat Alert – Latest Agent Tesla IOCs
October 15, 2020

Rewterz Threat Advisory – A New RAT Exploiting an Old Oracle WebLogic Server Vulnerability

October 14, 2020

Severity

High

Analysis Summary

A new Golang-written RAT is found targeting devices by using the CVE-2019-2725 (Oracle WebLogic RCE) vulnerability identified last year. Unlike other bots that have exploited this vulnerability, it doesn’t try to install a cryptominer or deploy other malware. This vulnerability was reported to have been a top exploited vulnerability in the wild. 

CVE-2019-2725

A deserialization vulnerability in Oracle WebLogic Server. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Cyber criminals have exploited this to deliver the Sodinokibi and Satan ransomware as well as to install Monero Cryptomining malware. It’s a new malware still in development, and it could go in any direction. The infection payload uses the CVE, giving the attacker access. This particular version was designed to work on Linux and on x86 architecture, but the fact that the RAT is developed in Golang lets the attacker easily compile versions for other operating systems and architectures. The campaign involves downloading the RAT, initializing it and making sure it stays operational. After the infection, the RAT monitors for version changes by interrogating a URL of on the hosting server (`l/sodd/ver‘). The RAT connects to the C2, sending a check-in message containing fingerprinting information for the system, then listens for commands. The data sent back to the operators includes the hardware of the devices, the OS and the IP. Communication with the C2 is encrypted using a simple XOR cipher with key 0x86.

Impact

  • Unauthorized Remote Access
  • Data Exfiltration

Indicators of Compromise

Hostname

  • log[.]conf1g[.]com
  • box[.]conf1g[.]com

MD5

  • 48f0de466c907cfb202f006bb0ff0d0b
  • e5cc6c2f8cda8356b93a3b96e9ea833e
  • d7c4c5756a27a301f0da2ef3b5814420
  • 69fbdbabb32747158b215089485dd2a2

SHA-256

  • 371ce879928eb3f35f77bcb8841e90c5e0257638b67989dc3d025823389b3f79
  • 59fa110c24920aacbf668baacadce7154265c2a3dca01d968f21b568bda2130b
  • f12f6354e562a85127c69f4948a0324c43fda5fc3699dc703cc5bb1afc05f947
  • e0d1a482b4df92def48cf714584fa417ce914b50ee28cc595bbf89bad76429d1

SHA1

  • fc594723788c545fae34031ab6abe1e0a727add4
  • add4db43896f65d096631bd68aa0d1889a5ff012
  • 5b2275e439f1ffe5d321f0275711a7480ec2ac90
  • e457b6f24ea5d3f2b5242074f806ecffad9ab207

Source IP

  • 185[.]234[.]218[.]247
  • 185[.]128[.]41[.]90

URL

  • http[:]//box[.]conf1g[.]com/l/sodd/Security[.]Guard
  • http[:]//box[.]conf1g[.]com/l/sodd/ver
  • http[:]//log[.]conf1g[.]com[:]53
  • http[:]//box[.]conf1g[.]com/l/sodd/Security[.]Script

Remediation

  • Block the threat indicators at their respective controls.
  • Immediately patch all unpatched products affected by this vulnerability.
  • Keep all systems and software updated to latest patched versions.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.