ioc[.]one - OSINT Cyber Threat Intelligence Database

A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities

Tags

cmtmf-attack-pattern:

Command And Scripting Interpreter Exploit Public-Facing Application Resource Hijacking Scheduled Task/Job

attack-pattern:

Data Clear Linux Or Mac System Logs - T1070.002 Command And Scripting Interpreter - T1623 Cron - T1053.003 Disable Or Modify System Firewall - T1562.004 Exploit Public-Facing Application - T1377 Exploits - T1587.004 Exploits - T1588.005 File And Directory Permissions Modification - T1222 File Deletion - T1070.004 File Deletion - T1630.002 Impair Defenses - T1562 Impair Defenses - T1629 Indicator Removal On Host - T1630 Ip Addresses - T1590.005 Linux And Mac File And Directory Permissions Modification - T1222.002 Malware - T1587.001 Malware - T1588.001 Python - T1059.006 Resource Hijacking - T1496 Scheduled Task/Job - T1603 Server - T1583.004 Server - T1584.004 Unix Shell - T1059.004 Vulnerabilities - T1588.006 Unix Shell - T1623.001 Command-Line Interface - T1059 Exploit Public-Facing Application - T1190 File Deletion - T1107 Indicator Removal On Host - T1070 Scheduled Task - T1053 Exploit Public-Facing Application Indicator Removal On Host

Show in Graph

Common Information

Type	Value
UUID	945cfd04-d550-443c-80b4-cae9afaf7d92
Fingerprint	b6eb2a55ac33ef81
Analysis status	DONE
Considered CTI value	2
Text language
Published	Sept. 14, 2022, midnight
Added to db	Oct. 16, 2024, 12:16 a.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities
Title	A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities
Detected Hints/Tags/Attributes	76/2/51

Source URLs

	Redirection	Url
Details	Source	https://www.trendmicro.com/en_nz/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html
Details	Source	https://www.trendmicro.com/en_sg/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html

URL Provider

Details	Provider	Source level domain
Details	trendmicro.com	www.trendmicro.com

Attributes

Details	Type	#Events	Value
Details	CVE	68	cve-2020-14882
Details	CVE	27	cve-2020-14750
Details	CVE	27	cve-2020-14883
Details	Domain	6	wb.sh
Details	Domain	8	trojan.sh.cve20207961.sm
Details	File	4	wb.xml
Details	sha256	2	020c14b7bf5ff410ea12226f9ca070540bd46eff80cf20416871143464f7d546
Details	sha256	5	5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d
Details	IPv4	40	10.3.6.0
Details	IPv4	39	12.1.3.0
Details	IPv4	60	12.2.1.3
Details	IPv4	70	12.2.1.4
Details	IPv4	58	14.1.1.0
Details	IPv4	2	91.241.19.134
Details	IPv4	2	185.14.30.35
Details	IPv4	3	195.2.79.26
Details	IPv4	2	195.2.78.230
Details	IPv4	2	193.178.170.47
Details	IPv4	2	178.20.40.200
Details	IPv4	2	94.103.89.159
Details	IPv4	2	185.231.153.4
Details	IPv4	2	195.2.85.171
Details	IPv4	2	80.92.204.82
Details	IPv4	2	195.2.84.209
Details	IPv4	5	212.22.77.79
Details	IPv4	2	185.234.247.8
Details	IPv4	9	185.154.53.140
Details	MITRE ATT&CK Techniques	542	T1190
Details	MITRE ATT&CK Techniques	86	T1059.004
Details	MITRE ATT&CK Techniques	107	T1496
Details	MITRE ATT&CK Techniques	12	T1070.002
Details	MITRE ATT&CK Techniques	35	T1222.002
Details	MITRE ATT&CK Techniques	70	T1562.004
Details	MITRE ATT&CK Techniques	297	T1070.004
Details	MITRE ATT&CK Techniques	44	T1053.003
Details	MITRE ATT&CK Techniques	235	T1562
Details	Url	2	http://91.241.19.134/wb.sh
Details	Url	2	http://185.14.30.35/kinsing
Details	Url	2	http://185.14.30.35/wb.sh
Details	Url	2	http://195.2.79.26/kinsing
Details	Url	2	http://195.2.79.26/wb.sh
Details	Url	2	http://195.2.78.230/wb.sh
Details	Url	2	http://193.178.170.47/wb.sh
Details	Url	2	http://178.20.40.200/wb.sh
Details	Url	2	http://94.103.89.159/wb.sh
Details	Url	2	http://185.231.153.4/wb.sh
Details	Url	2	http://195.2.85.171/wb.sh
Details	Url	2	http://80.92.204.82/wb.sh
Details	Url	2	http://195.2.84.209/kinsing
Details	Url	2	http://193.178.170.47/kinsing
Details	Url	2	http://178.20.40.200/kinsing