Hackers abuse recently patched Oracle WebLogic Server vulnerability CVE-2019-2725 to deliver Monero miner on vulnerable machines. The bug is a deserialization issue, which allows unauthenticated remote command execution. The flaw was fixed by the vendor in late April, one week after proof-of-concept code for it was published online and cybercriminals started using it to install cryptocurrency miners.

In a new report Trend Micro’s researchers shed light on some of the activity involving CVE-2019-2725. The observed campaign has revealed an interesting twist - the malware hides its malicious codes in certificate files as an obfuscation tactic.

Once executed on the target machine the malware exploits CVE-2019-2725 to execute a command and perform a series of routines. First, PowerShell is used to download a certificate file from the command-and-control (C&C) server, which is saved in %APPDATA% under the name cert.cer. Then the legitimate CertUtil tool is used to decode the file, which is then executed using PowerShell. The downloaded file is then deleted using cmd.

The certificate file looks like a normal Privacy-Enhanced Mail (PEM) format certificate, but it actually comes in the form of the PowerShell command instead of the commonly used X.509 TLS file format.

“One interesting characteristic of the downloaded certificate file is that it requires that it be decoded twice before the PS command is revealed, which is unusual since the command from the exploit only uses CertUtil once,” said the report.

The PowerShell command in the certificate file downloads and executes another PowerShell script in memory, which in turn downloads and executes several files, including sysupdate.exe (Monero miner), config.json (configuration file for the miner), networkservice.exe (an executable possibly used for the propagation and exploitation of WebLogic), update.ps1 (the PowerShell script in memory), sysguard .exe (watchdog for the miner process), and clean.bat (deletes other components)

The update.ps1 file contains the decoded certificate file, which is replaced with the new update.ps1 and a scheduled task is created that will execute the new update.ps1 every 30 minutes.

The idea of using certificate files to hide malware is not a new one, but the attacks utilizing this technique have not been observed before. However, it appears that for the time being the hackers behind the above mentioned campaign are only testing this obfuscation method as other malicious files are downloaded without being hidden via the certificate file, pointed out the researchers.