Show vulnerabilities with patch / with exploit
11 June 2019

Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks


Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Hackers abuse recently patched Oracle WebLogic Server vulnerability CVE-2019-2725 to deliver Monero miner on vulnerable machines. The bug is a deserialization issue, which allows unauthenticated remote command execution. The flaw was fixed by the vendor in late April, one week after proof-of-concept code for it was published online and cybercriminals started using it to install cryptocurrency miners.

In a new report Trend Micro’s researchers shed light on some of the activity involving CVE-2019-2725. The observed campaign has revealed an interesting twist - the malware hides its malicious codes in certificate files as an obfuscation tactic.

Once executed on the target machine the malware exploits CVE-2019-2725 to execute a command and perform a series of routines. First, PowerShell is used to download a certificate file from the command-and-control (C&C) server, which is saved in %APPDATA% under the name cert.cer. Then the legitimate CertUtil tool is used to decode the file, which is then executed using PowerShell. The downloaded file is then deleted using cmd.

The certificate file looks like a normal Privacy-Enhanced Mail (PEM) format certificate, but it actually comes in the form of the PowerShell command instead of the commonly used X.509 TLS file format.

“One interesting characteristic of the downloaded certificate file is that it requires that it be decoded twice before the PS command is revealed, which is unusual since the command from the exploit only uses CertUtil once,” said the report.

The PowerShell command in the certificate file downloads and executes another PowerShell script in memory, which in turn downloads and executes several files, including sysupdate.exe (Monero miner), config.json (configuration file for the miner), networkservice.exe (an executable possibly used for the propagation and exploitation of WebLogic), update.ps1 (the PowerShell script in memory), sysguard .exe (watchdog for the miner process), and clean.bat (deletes other components)

The update.ps1 file contains the decoded certificate file, which is replaced with the new update.ps1 and a scheduled task is created that will execute the new update.ps1 every 30 minutes.

The idea of using certificate files to hide malware is not a new one, but the attacks utilizing this technique have not been observed before. However, it appears that for the time being the hackers behind the above mentioned campaign are only testing this obfuscation method as other malicious files are downloaded without being hidden via the certificate file, pointed out the researchers.

Back to the list

Latest Posts

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

The ComRAT v4 malware includes two new features, such as the ability to exfiltrate antivirus logs and the ability to control the malware using a Gmail inbox.
26 May 2020
25 million Mathway user records leak online

25 million Mathway user records leak online

Since the start of this month, ShinyHunters has been offering access to databases containing millions user records obtained from hacks of various companies.
26 May 2020
Hackers put up for sale SQL databases stolen from online shops

Hackers put up for sale SQL databases stolen from online shops

More than half of hacked databases are from online shops in Germany, others are from Brazil, the U.S., Italy, India, Spain, and Belarus.
26 May 2020
Featured vulnerabilities
Stored cross-site scripting in Composr CMS
Low Not Patched | 26 May, 2020
Denial of service in GoldWave
Medium Not Patched | 26 May, 2020
OS Command Injection in Online Discussion Forum Site
Medium Not Patched | 26 May, 2020