Luoxk Malware – Exploiting CVE-2018-2893

First observed in 2017, Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North America.

Luoxk uses a variety of methods to compromise vulnerable servers but is primarily exploiting CVE-2018-2893, a remote code execution vulnerability on Oracle web servers. Open Remote Desktop Protocol ports have also been used to infect devices.

The luoxk group registered the luoxkexp[.]com C2 domain on March 16,2017, and then immediately started to use it – domain details here

Once access is achieved, the group operating Luoxk will use the compromised servers for a number of purposes including:

  • Enrolling them in a Nitol variant botnet to be used for distributed denial-of-service attacks. Nitol is a smaller botnet trojan that operates primarily in China and surrounding Asian countries.
  • Installing the Gh0st remote access trojan, which in turn is used to install an XMRig mining application and to propagate to other devices on the network.
  • Hosting malicious Android APK files for other malware to use.

The dns access traffic going to luoxkexp[.]com has been going up for the last few days.

Traffic to luoxkexp[.]com July 2018

Indicators of Compromise

IP Addresses

  • 121.18.238[.]56
  • 103.99.115[.]220


  • luoxkexp[.]com

Full URL’s

MD5 File Hashes

  • 2f7df3baefb1cdcd7e7de38cc964c9dc


CVE-2018-2893 was addressed in Oracle’s July 2018 Critical Patch Update (CPU).

Users are advised to update their affected systems immediately.

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: