{ "id": "0889875a-3be8-4ac6-a749-c24bb3981d0c", "created_at": "2026-04-06T00:11:12.483389Z", "updated_at": "2026-04-10T13:11:41.168306Z", "deleted_at": null, "sha1_hash": "8c47a9235d60884cab910205292cfe3fa3ba76d4", "title": "A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2075873, "plain_text": "A Post-exploitation Look at Coinminers Abusing WebLogic\r\nVulnerabilities\r\nBy By: Sunil Bharti Sep 14, 2022 Read time: 7 min (1821 words)\r\nPublished: 2022-09-14 · Archived: 2026-04-05 14:21:52 UTC\r\nExploits \u0026 Vulnerabilities\r\nThis blog entry details how Trend Micro Cloud One™ – Workload Security and Trend Micro Vision One™ effectively\r\ndetected and blocked the abuse of the CVE-2020-14882 WebLogic vulnerability in affected endpoints.\r\nWe have recently observed malicious actors exploiting both recently disclosed and older Oracle WebLogic Server\r\nvulnerabilities to deliver cryptocurrency-mining malware. Oracle WebLogic Server is typically used for developing and\r\ndeploying high-traffic enterprise applications on cloud environments and engineered and conventional systems.\r\nOne of the older vulnerabilities that is still being actively exploited by malicious actors is CVE-2020-14882, a remote code\r\nexecution (RCE) vulnerability that takes advantage of improper input validation in Oracle WebLogic Server. This\r\nvulnerability affects versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, and can be exploited by a remote\r\nunauthenticated attacker via sending a crafted HTTP request to the victim server resulting in RCE. It also has a CVSS v3.0\r\nscore of 9.8.\r\nThough we have observed that many malicious actors are using this vulnerability to deploy different malware families, this\r\nblog will focus on Kinsing malware activity. Based on our analysis, most of the exploits did not show special characteristics\r\nor features. However, we have observed that the downloaded shell and Python scripts went through a lengthy list of actions,\r\nincluding disabling basic operating system (OS) security features such as Security-Enhanced Linux (SELinux), watchdog\r\ntimers, and iptables, and disabling cloud service provider’s agents.\r\nThis blog entry will detail how Trend Micro Cloud One™ – Workload Security and Trend Micro Vision One™ effectively\r\ndetected and blocked the abuse of the CVE-2020-14882 WebLogic vulnerability in affected endpoints.\r\nTechnical analysis\r\nDespite being an older vulnerability, malicious actors are still actively weaponizing CVE-2020-14882 to gain a foothold in\r\nvictim organizations. Figure 1 shows the active attempt to exploit the vulnerability, which our intrusion prevention system\r\n(IPS) detected from October 31, 2020, to July 27, 2022.\r\nhttps://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html\r\nPage 1 of 14\n\nFigure 1. IPS detection count of the CVE-2020-14882 vulnerability exploitation from Oct. 31, 2020 to July\r\n27, 2022\r\nFigure 2. Kinsing malware infection chain\r\nUsing Workload Security to detect WebLogic vulnerability exploitation\r\nWorkload Security’s correlation of telemetry and detections provided the initial security context in this campaign, which\r\nallowed security teams and analysts to track and monitor the malicious actor’s activities.\r\nThe following Workload Security modules worked to detect the exploitation of CVE-2020-14882 on vulnerable systems:\r\nIntrusion prevention system module\r\nhttps://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html\r\nPage 2 of 14\n\nWorkload Security’s intrusion prevention system module can tap into incoming traffic and effectively block and detect\r\nmalicious network traffic. This module includes multiple IPS rules that can block the vulnerability exploitation of the\r\nWebLogic server. One of these is IPS rule 1010590 - Oracle WebLogic Server Remote Code Execution Vulnerabilities\r\n(CVE-2020-14882, CVE-2020-14750 and CVE-2020-14883), which can detect and block the exploitation of vulnerabilities\r\nassigned to both CVE-2020-14882 and CVE-2020-14883.\r\nFigure 3. IPS detection of the vulnerability exploitation\r\nFigure 4. Payload data captured by the IPS rule\r\nhttps://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html\r\nPage 3 of 14\n\nIn figure 4, the malicious actor sent a crafted request that attempted to access the console.portal resource under the “images”\r\ndirectory. The “%252e%252e” is a double URL-encoded string of the “..” directory traversal pattern. Because the class\r\nmanaging the targeted resource did not validate the input, it automatically computed the code that the attacker provided. In\r\nthis case, the attacker forced the server to read the contents of the wb.xml file, which downloaded a shell script with the\r\nfollowing contents:\r\nFigure 5. The contents of the wb.xml file\r\nAntimalware module\r\nThis module provides real-time protection against the exploitation of this vulnerability using behavior-monitoring features. \r\nFigure 6. Antimalware (AM) event of a shell script running on Java\r\nhttps://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html\r\nPage 4 of 14\n\nFigure 7. AM event of Kinsing malware detection\r\nWeb reputation module\r\nThe web reputation module protects systems against web threats by blocking access to malicious URLs. In our investigation,\r\nthis module immediately identified and blocked the wb.sh script’s attempt to download the Kinsing malware.\r\nhttps://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html\r\nPage 5 of 14\n\nFigure 8. The web reputation module blocked the download of the Kinsing malware.\r\nActivity monitoring module\r\nThis module can detect process, file, and network activities on endpoints that are running the Cloud One Workload Security\r\nsolution. As seen on figure 13, the activity monitoring module detected the Java process that was attempting to open a bash\r\nshell.\r\nFigure 9. The activity monitoring module detected the Java process that tried to open a bash shell.\r\nA closer look at the WebLogic vulnerability exploitation using Trend Micro Vision One and Trend Micro\r\nCloud One\r\nIn our investigation of this Kinsing campaign, Trend Micro Vision One provided real-time details into the paths and events\r\nrelated to this attack. This section provides insights on the activities performed by the downloaded shell script, the detections\r\nprovided by the Trend Micro Cloud One and Trend Micro Vision One solutions, and how the said solutions provide\r\ninformation on every step of the malware's behavior.\r\nAfter the successful exploitation of the vulnerability, the wb.sh file was downloaded into the host machine. In infected\r\nmachines that do not run Workload Security and Vision One, it would attempt to perform the following malicious actions:\r\nhttps://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html\r\nPage 6 of 14\n\n1.     The script would check if the “/tmp/zzza” file was present, which would then trigger the script to stop. Otherwise, it\r\nwould create an empty file and would perform the other actions. It is a flag used to verify that two or more instances are not\r\nrunning on the same host. This file can also be used to stop further infections if created manually.\r\nFigure 10. Detection of “/tmp/zzza” file creation\r\n2.     The script would increase the resource limit using the “ulimit” command and remove the /var/log/syslog file. \r\nFigure 11. Detection of the /var/log/syslog file deletion\r\n3.     It would make multiple files mutable so that it can update them. \r\nClick to enlarge\r\nhttps://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html\r\nPage 7 of 14\n\nFigure 12. Detection of attribute modification of “/etc/crontab”\r\n4.     It would also disable multiple security features within the system.\r\nClick to enlarge\r\nFigure 13. Telemetry detection of the “disable apparmor” command (Click to enlarge)\r\n5.     It would disable ”alibaba,” ”bydo,” and “qcloud” cloud service agents.\r\nhttps://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html\r\nPage 8 of 14\n\nFigure 14. Disabled alibaba, bydo and qcloud cloud service agents\r\n6.     Like other cryptocurrency-mining malware, it would start removing or killing off other cryptocurrency miners’\r\nprocesses within the infected system.\r\nClick to enlarge\r\nFigure 15. Detection of cryptominers’ killing of other competing cryptominers’ processes (Click to enlarge)\r\n7.     It would also remove some Docker images that belonged to other cryptocurrency-mining malware.\r\nFigure 16. Removal of competing cryptominers’ Docker images (Click to enlarge)\r\n8.     Until this point, the script worked as a stager — it would remove the files and processes that were related to other\r\ncryptominers and malware families. It would also disable security features and would modify the attributes of important files\r\nso that they can be manipulated. After the script performs all these steps, it would then download the Kinsing malware.\r\nFigure 17. Downloading the Kinsing malware (Click to enlarge)\r\n9.     It would check if the user was root or not and would then select the path and utility (wget and curl) to download the\r\nmalicious binary.\r\nhttps://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html\r\nPage 9 of 14\n\nClick to enlarge\r\nFigure 18. Telemetry detection of the downloaded Kinsing malware (Click to enlarge)\r\n10.     It would then create a cronjob to download the wb.sh script.\r\nhttps://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html\r\nPage 10 of 14\n\nFigure 19. Creation of cronjob to download the wb.sh script (Click to enlarge)\r\nObserved attack techniques (OATs)\r\nObserved attack techniques (OATs) are generated from individual events that provide security value. To investigate possible\r\nattempts of exploitation using this vulnerability, analysts can look for these OAT IDs from many other helper OAT triggers\r\nthat can indicate suspicious activities on the affected host.\r\nFigure 20. List of detected OATs (Click to enlarge)\r\nThe Trend Micro Vision One Workbench app helps analysts see the significant correlated events that are intelligently based\r\non the occurrences that happened throughout the entire fleet of workloads.\r\nhttps://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html\r\nPage 11 of 14\n\nFigure 21. Workbench app detection\r\nThe left side of figure 25 shows the summarized sequence of events. Meanwhile, security analysts can view the different\r\nfields of interest that are considered important and provide security value on the right side. The app allows security teams to\r\nsee compromised assets and isolate those that can be potentially affected while patching and mitigation procedures are in\r\nprogress.\r\nExecution profile\r\nExecution profile is a Trend Micro Vision One feature that generates graphs for security defenders. Fields like\r\n“processCmd” and “objectCmd’ can be expanded from the search app or the threat hunting app to look for different\r\nactivities in any given period. These activities include process creation, file creation, and inbound and outbound network\r\nactivity.\r\nIf “Check Execution Profile” is selected, a security analyst can go through the extensive list of actions that a malicious actor\r\nhas performed.\r\nFigure 22. Vision One dashboard showing the execution profile function (Click to enlarge)\r\nThreat hunting queries\r\nTo hunt down potential malicious activity within the environment, security analysts can use the following queries using the\r\nTrend Micro Vision One search app:\r\n1. To find the potential misuse of Java applications to open bash process: processFilePath:/bin/java AND\r\nobjectFilePath:/usr/bin/bash \r\n2. To find the use of curl or wget initiated by Java via bash:\r\na.      processFilePath:/bin/java AND objectFilePath:/usr/bin/bash AND (objectCmd:curl or objectCmd:wget)\r\n3. To find the execution of Base64-decoded string execution by Java via bash:\r\na.      processFilePath:/bin/java AND objectFilePath:/usr/bin/bash AND objectCmd:base64\r\nHow Trend Micro Vision One and Trend Micro Cloud One – Workload Security can help\r\nthwart vulnerability exploitation\r\nIn this blog entry, we discussed how malicious actors exploited a two-year-old vulnerability and attempted to deploy the\r\nKinsing malware into a vulnerable system. The successful exploitation of this vulnerability can lead to RCE, which can\r\nhttps://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html\r\nPage 12 of 14\n\nallow attackers to perform a plethora of malicious activities on affected systems. This can range from malware execution, as\r\nin the case of our analysis, to theft of critical data, and even complete control of a compromised machine.\r\nTrend Micro Vision Oneservices helps security teams gain an overall view of attempts in ongoing campaigns by providing\r\nthem a correlated view of multiple layers such as email, endpoints, servers, and cloud workloads. Security teams can gain a\r\nbroader perspective and a better understanding of attack attempts and detect suspicious behavior that would otherwise seem\r\nbenign when viewed from a single layer alone.\r\nMeanwhile, Trend Micro Cloud One – Workload Securityproducts helps defend systems against vulnerability exploits,\r\nmalware, and unauthorized change. It can protect a variety of environments such as virtual, physical, cloud, and containers.\r\nUsing advanced techniques like machine learning (ML) and virtual patching, the solution can automatically secure new and\r\nexisting workloads both against known and new threats.\r\nMITRE ATT\u0026CK Technique IDs\r\nTechnique ID\r\nExploit Public-Facing Application T1190\r\nCommand and Scripting Interpreter: Unix Shell T1059.004\r\nResource Hijacking T1496\r\nIndicator Removal on Host: Clear Linux or Mac System Logs T1070.002\r\nFile and Directory Permissions Modification: Linux and Mac File and Directory Permissions\r\nModification\r\nT1222.002\r\nImpair Defenses: Disable or Modify System Firewall T1562.004\r\n Indicator Removal on Host: File Deletion T1070.004\r\nScheduled Task/Job: Cron T1053.003\r\nImpair Defenses: Disable Cloud Logs T1562/008\r\nIOCs\r\nURLs:\r\nhxxp://91[.]241[.]19[.]134/wb.sh\r\nhxxp://185[.]14[.]30[.]35/kinsing\r\nhxxp://185[.]14[.]30[.]35/wb.sh\r\nhxxp://195[.]2[.]79[.]26/kinsing\r\nhxxp://195[.]2[.]79[.]26/wb.sh\r\nhxxp://195[.]2[.]78[.]230/wb.sh\r\nhxxp://193[.]178[.]170[.]47/wb.sh\r\nhxxp://178[.]20[.]40[.]200/wb.sh\r\nhxxp://94[.]103[.]89[.]159/wb.sh\r\nhxxp://185[.]231[.]153[.]4/wb.sh\r\nhxxp://195[.]2[.]85[.]171/wb.sh\r\nhxxp://80[.]92[.]204[.]82/wb.sh\r\nhxxp://195[.]2[.]84[.]209/kinsing\r\nhxxp://193[.]178[.]170[.]47/kinsing\r\nhttps://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html\r\nPage 13 of 14\n\nhxxp://178[.]20[.]40[.]200/kinsing\r\nFile hashes\r\nSHA-256 Detection name\r\n020c14b7bf5ff410ea12226f9ca070540bd46eff80cf20416871143464f7d546 Trojan.SH.CVE20207961.SM\r\n5D2530B809FD069F97B30A5938D471DD2145341B5793A70656AAD6045445CF6D Trojan.Linux.KINSING.USELVCR22\r\nIP addresses\r\n212[.]22[.]77[.]79\r\n185[.]234[.]247[.]8\r\n185[.]154[.]53[.]140\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html\r\nhttps://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html" ], "report_names": [ "a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434272, "ts_updated_at": 1775826701, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8c47a9235d60884cab910205292cfe3fa3ba76d4.pdf", "text": "https://archive.orkl.eu/8c47a9235d60884cab910205292cfe3fa3ba76d4.txt", "img": "https://archive.orkl.eu/8c47a9235d60884cab910205292cfe3fa3ba76d4.jpg" } }