Trend Micro researchers spotted an Oracle server vulnerability exploited to deliver double Monero miner payloads.
Threat actors exploited the CVE-2017-10271 vulnerability which allows for remote code execution to deliver both a 64-bit variant and a 32-bit variant of an XMRig Monero miner, according to a 26 February blog post.
Both of the malicious payloads are capable of starting automatically and daily to provide more chances to infect more machines.
The use of two miners is to improve the chances of compatibility so if one version isn't compatible with the infected Windows computer, then the other will run. The malware will also look to make the most of the infected device by shutting down other malware going as far as to terminate spoosvc.exe and delete the scheduled task “Spooler SubSystem Service.”
Users can prevent infection by regularly patching and updating their software to mitigate the impact of cryptocurrency malware and other threats that exploit the Oracle WebLogic WLS-WSAT vulnerability.