11 June 2019

Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Hackers abuse recently patched Oracle WebLogic Server vulnerability CVE-2019-2725 to deliver Monero miner on vulnerable machines. The bug is a deserialization issue, which allows unauthenticated remote command execution. The flaw was fixed by the vendor in late April, one week after proof-of-concept code for it was published online and cybercriminals started using it to install cryptocurrency miners.

In a new report Trend Micro’s researchers shed light on some of the activity involving CVE-2019-2725. The observed campaign has revealed an interesting twist - the malware hides its malicious codes in certificate files as an obfuscation tactic.

Once executed on the target machine the malware exploits CVE-2019-2725 to execute a command and perform a series of routines. First, PowerShell is used to download a certificate file from the command-and-control (C&C) server, which is saved in %APPDATA% under the name cert.cer. Then the legitimate CertUtil tool is used to decode the file, which is then executed using PowerShell. The downloaded file is then deleted using cmd.

The certificate file looks like a normal Privacy-Enhanced Mail (PEM) format certificate, but it actually comes in the form of the PowerShell command instead of the commonly used X.509 TLS file format.

“One interesting characteristic of the downloaded certificate file is that it requires that it be decoded twice before the PS command is revealed, which is unusual since the command from the exploit only uses CertUtil once,” said the report.

The PowerShell command in the certificate file downloads and executes another PowerShell script in memory, which in turn downloads and executes several files, including sysupdate.exe (Monero miner), config.json (configuration file for the miner), networkservice.exe (an executable possibly used for the propagation and exploitation of WebLogic), update.ps1 (the PowerShell script in memory), sysguard .exe (watchdog for the miner process), and clean.bat (deletes other components)

The update.ps1 file contains the decoded certificate file, which is replaced with the new update.ps1 and a scheduled task is created that will execute the new update.ps1 every 30 minutes.

The idea of using certificate files to hide malware is not a new one, but the attacks utilizing this technique have not been observed before. However, it appears that for the time being the hackers behind the above mentioned campaign are only testing this obfuscation method as other malicious files are downloaded without being hidden via the certificate file, pointed out the researchers.

Back to the list

Latest Posts

New Mirai variant hides its C&Cs in Tor network for anonymity

New Mirai variant hides its C&Cs in Tor network for anonymity

The use of Tor network helps the malware operators to conceal its command and control servers and to avoid detection.
1 August 2019
New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

After infecting an Android mobile device, Filecoder scans the victim's contact list and sends links on ransomware to all the entries in the list.
31 July 2019
Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

URGENT/11 vulnerabilities pose a serious risk as they allow attackers to take over devices with no user interaction required.
30 July 2019