• The vulnerability was actively exploited to install miners for cryptocurrencies such as Monero.
  • It was reported that the malware used in the attack cloaked itself in certificate files for obfuscation.

A security vulnerability in Oracle WebLogic Server was found to be actively exploited by cybercriminals to install cryptocurrency miners. Security researchers from Trend Micro discovered that the malware used in the attack hid in certificate files and later dropped Monero miners in the system.

Tracked as CVE-2019-2725, the vulnerability is a deserialization remote code execution (RCE) flaw, which could allow unauthenticated attackers with network access to compromise WebLogic servers.

Worth noting

  • In their blog, the researchers detailed the infection chain of the attack. The attack begins with the malware exploiting CVE-2019-2725 to execute a PowerShell command.
  • This command is used to download a certificate file from a C2 server. The file, saved as ‘cert.cer’, is decoded using a Windows application called certutil. This decoded file is saved as ‘update.ps1’.
  • Upon executing this decoded file, the certificate file is deleted. Parallelly, a PowerShell script is downloaded and stored in memory. This script downloads and executes the cryptocurrency miner payload and other components.

Using certificate files for obfuscation

The researchers suggest that the use of certificate files for hiding malware has been prevalent for a while. “The idea of using certificate files to hide malware is not a new one: a proof of concept was introduced late last year by Sophos in which they demonstrated placing an Excel file with an embedded macro inside a certificate file,” read their blog.

“By using certificate files for obfuscation purposes, a piece of malware can possibly evade detection since the downloaded file is in a certificate file format which is seen as normal -— especially when establishing HTTPS connections,” added the researchers.

Oracle has released an update to fix the issue in WebLogic. Users are advised to apply this update to stay protected from RCE and similar attacks.

Cyware Publisher