Attackers often keep upgrading their tools to scan for and infect new devices by exploiting unpatched vulnerabilities. Recently, the z0Miner cryptomining malware was spotted probing cloud servers by exploiting a new set of unpatched vulnerabilities.
z0Miner active campaign
Qihoo 360 Netlab researchers have observed z0Miner’s active hunting against vulnerabilities addressed in 2015 and earlier in ElasticSearch and Jenkins servers.
- The botnet was using exploits targeting an ElasticSearch RCE vulnerability (CVE-2015-1427) and an older RCE impacting Jenkins servers.
- After compromising a server, the malware will first download a malicious shell script and sets up a new cron entry to periodically grab and execute malicious scripts from Pastebin.
- Further, the botnet downloads a mining kit containing an XMRig miner script (java.exe), a config file (config.json), and a starter script (solr.sh). It starts to mine for Monero (XMR) cryptocurrency in the background.
Earlier campaigns
Since its emergence last year, z0Miner has been observed gaining persistence via crontab and mining for Monero cryptocurrency.
- According to the Tencent Security Team, z0Miner was actively exploiting two Weblogic pre-auth RCE bugs tracked as CVE-2020-14882 and CVE-2020-14883 to spread to other devices.
- In addition, the botnet was spreading laterally on the network of already compromised devices via SSH.
- It has already compromised thousands of devices using recently identified similar attack logic.
Conclusion
z0Miner’s recent campaign demonstrates how vulnerabilities identified years ago, if not patched, can be used by cybercriminals for making a profit. Therefore, it becomes important for organizations to keep all their systems and applications updated with the latest patches to avoid such threats.
