A new Golang-written RAT is found targeting devices by using the CVE-2019-2725 (Oracle WebLogic RCE) vulnerability identified last year. Unlike other bots that have exploited this vulnerability, it doesn’t try to install a cryptominer or deploy other malware. This vulnerability was reported to have been a top exploited vulnerability in the wild.
A deserialization vulnerability in Oracle WebLogic Server. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Cyber criminals have exploited this to deliver the Sodinokibi and Satan ransomware as well as to install Monero Cryptomining malware. It’s a new malware still in development, and it could go in any direction. The infection payload uses the CVE, giving the attacker access. This particular version was designed to work on Linux and on x86 architecture, but the fact that the RAT is developed in Golang lets the attacker easily compile versions for other operating systems and architectures. The campaign involves downloading the RAT, initializing it and making sure it stays operational. After the infection, the RAT monitors for version changes by interrogating a URL of on the hosting server (`l/sodd/ver‘). The RAT connects to the C2, sending a check-in message containing fingerprinting information for the system, then listens for commands. The data sent back to the operators includes the hardware of the devices, the OS and the IP. Communication with the C2 is encrypted using a simple XOR cipher with key 0x86.