Date: 04/09/2025
Severity: Medium
Summary
Researchers discovered a new attack campaign targeting Apache Tomcat servers. The attackers use brute-force methods to gain access, deploy encrypted payloads, steal SSH credentials, and hijack resources for cryptocurrency mining. The attack exploits vulnerabilities in Tomcat, involving disguised malicious binaries as kernel processes to maintain persistence. The campaign is believed to be linked to a Chinese-speaking threat actor.
Indicators of Compromise (IOC) List
URL/Domain | dbliker.top |
IP Address | 209.141.37.95 138.201.247.154 68.183.238.15 216.239.38.21 |
Hash | 8b3a077339cd75a313a531798852a352
d82a372d3f9ee28b34f0f8299d7a5132
bd8ce6bd59b1f648e0ac38e575780453
5e2814800cbe66281511ae5dfa62a94e
5012b9d97848cafc2d5a55ea098c7d3c
718edc4d574df0accd3ba7591a43eddf
fd87e203c4867c688024175aeee0092f
713091980135a30a452b34026d949890
ff20fd3228162a71efa8c4b3786b4c3e
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | domainname like "dbliker.top" or siteurl like "dbliker.top" or url like "dbliker.top" |
Detection Query 2 | dstipaddress IN ("138.201.247.154","68.183.238.15","209.141.37.95","216.239.38.21") or ipaddress IN ("138.201.247.154","68.183.238.15","209.141.37.95","216.239.38.21") or srcipaddress IN ("138.201.247.154","68.183.238.15","209.141.37.95","216.239.38.21") |
Detection Query 3 | md5hash IN ("713091980135a30a452b34026d949890","5e2814800cbe66281511ae5dfa62a94e","5012b9d97848cafc2d5a55ea098c7d3c","bd8ce6bd59b1f648e0ac38e575780453","8b3a077339cd75a313a531798852a352","d82a372d3f9ee28b34f0f8299d7a5132","718edc4d574df0accd3ba7591a43eddf","fd87e203c4867c688024175aeee0092f","ff20fd3228162a71efa8c4b3786b4c3e")
|
Reference:
https://www.aquasec.com/blog/new-campaign-against-apache-tomcat/