Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Oracle Server Exploit Opens up for Double Cryptocurrency miner Payload

Thursday, March 1, 2018 By

Hackers serve up a duo of cryptocurrency miners by exploiting Oracle server vulnerability


The trend of cryptocurrency mining malware is a live issue, but with the latest crop of cyberattacks seems to be turning into one of the big trends for 2018. In the most recent example, a group has used an Oracle server vulnerability to deliver double Monero miner payloads.

Oracle Server Exploit Opens up for Double Cryptocurrency miner Payload

Trend Micro researchers spotted that hackers are exploiting the CVE-2017-10271 vulnerability on Oracle server which allows for remote code execution, in order to deliver a double-headed 64-bit variant and a 32-bit variant of the XMRigMonero miner. The double-payload being intended to improve compatibility with different systems. Both payloads auto-start daily to maximise revenue for the attackers, and also attempt to shut down other malware on the device by terminating spoosvc.exe and deleting the scheduled task “Spooler SubSystem Service.”

This malware uses the Oracle system’s central processing unit (CPU) and/or the machine’s graphical processing unit (GPU) resources, making the system run abnormally slow. The user may not attribute the issue to a compromise at first since the effects can be caused by other factors. But, as we mentioned, cryptocurrency miners have been on the rise since mid-2017, and users should expect more malware variants that aim to hijack their system resources. Cybercriminals are taking every opportunity and experimenting with new ways to deliver cryptocurrency mining malware to users”, noted the Trend Micro researchers in a blogpost.

The blogpost contains a full list of IOCs, while CVE-2017-10271 patches are available from Oracle.

Ilia Kolochenko, CEO, High-Tech Bridge commented on an earlier XMR Miner attack that: “With the steady growth and popularity of digital currencies, we should expect the continuous and persistent growth of attacks targeting cryptocurrency wallets and/or installing malware to mine the coins.

As opposed to the regulated world of credit cards, PayPal or bank accounts, digital currencies are a unique opportunity for cybercriminals to use stolen [digital] money without risk of being halted or having their money frozen. Law enforcement and government bodies have virtually no control over digital coins and cannot intervene at the moment. Therefore, using all previously available and some emerging techniques within phishing and drive-by-download attacks, cyber criminals will likely focus their efforts on crypto currencies in the near future.

A recent report found that 42 per cent of the top 100,000 websites on the web are using software that leaves them vulnerable to cyber attack, or have already been compromised. Many external data breaches and security incidents involve insecure web applications, due to the pressures on building and maintaining digital tools in the corporate IT environment. High-Tech Bridge’s award-winning Application Security Testing (AST) Platform, ImmuniWeb, helps reduce application risks and get the best ROI from Application Security Testing.

Cryptocurrency mining is certainly on the rise in fact, it was the most detected network event in devices connected to home routers in 2017, rising to a peak in Q4, according to data from Trend Micro.

Oracle Server Exploit Opens up for Double Cryptocurrency miner Payload

The company also spotted the largest volumes of cryptocurrency mining malware in Japan, India, Taiwan, the US, and Australia respectively.


Mark Mayne has covered the security industry for more than 15 years, editing news for SC Magazine and editing SecurityVibes UK. Mark has a background in national news journalism and tech reporting, and has run b2b and b2c editorial sites.

User Comments
Add Comment

High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share