Hello, welcome to the Wednesday, April 6, 2020 edition of the Sansonet Storm Center's Stormcast. My name is

Johannes Ulrich, and today I'm recording from Jacksonville, Florida. Well, today we got another

crypto coin miner, of course, nothing that terribly new with crypto coin miners, but they keep adding new tricks.

And this one, first of all, went after a WebLogic vulnerability that's about two years old.

So not the most common vulnerability out there, but still apparently sufficient systems out there to make it worthwhile scanning

for them.

And then in addition to actually deleting all the competition, which is standard for

crypto coin miners, it also specifically disables Alibaba cloud monitoring software.

If you're setting up a virtual machine in Alibaba's cloud, by default,

there is a specific service installed, the Ali Yun service,

that's then being used to monitor your virtual machine.

Well, you can uninstall it, and that's exactly what this

particular script does. It downloads from Oligan, the uninstalled script, and then runs it. That, of

course, makes it a little bit more difficult or less likely that the crypto coin miner is being discovered.

Other than that, it's actually not very stealthy malware. It does disable a bunch of services

on the system, probably in order to, first of all, made it harder for the administrator to access

the system, but then also to probably get more CPU cycles for itself.

So any system used for real would immediately kind of be obvious

that all of a sudden, for example,

some of the Oracle service and such are no longer running,

but this looks like it's going after systems that are pretty much sort of in

its default configuration, unmaintained really, but still running. It also doesn't attempt to

...