First observed in 2017, Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North America.
Luoxk uses a variety of methods to compromise vulnerable servers but is primarily exploiting CVE-2018-2893, a remote code execution vulnerability on Oracle web servers. Open Remote Desktop Protocol ports have also been used to infect devices.
The luoxk group registered the luoxkexp[.]com C2 domain on March 16,2017, and then immediately started to use it – domain details here
Once access is achieved, the group operating Luoxk will use the compromised servers for a number of purposes including:
- Enrolling them in a Nitol variant botnet to be used for distributed denial-of-service attacks. Nitol is a smaller botnet trojan that operates primarily in China and surrounding Asian countries.
- Installing the Gh0st remote access trojan, which in turn is used to install an XMRig mining application and to propagate to other devices on the network.
- Hosting malicious Android APK files for other malware to use.
The dns access traffic going to luoxkexp[.]com has been going up for the last few days.
Indicators of Compromise
MD5 File Hashes
CVE-2018-2893 was addressed in Oracle’s July 2018 Critical Patch Update (CPU).
Users are advised to update their affected systems immediately.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.