A security vulnerability in Oracle WebLogic Server was found to be actively exploited by cybercriminals to install cryptocurrency miners. Security researchers from Trend Micro discovered that the malware used in the attack hid in certificate files and later dropped Monero miners in the system.
Tracked as CVE-2019-2725, the vulnerability is a deserialization remote code execution (RCE) flaw, which could allow unauthenticated attackers with network access to compromise WebLogic servers.
Using certificate files for obfuscation
The researchers suggest that the use of certificate files for hiding malware has been prevalent for a while. “The idea of using certificate files to hide malware is not a new one: a proof of concept was introduced late last year by Sophos in which they demonstrated placing an Excel file with an embedded macro inside a certificate file,” read their blog.
“By using certificate files for obfuscation purposes, a piece of malware can possibly evade detection since the downloaded file is in a certificate file format which is seen as normal -— especially when establishing HTTPS connections,” added the researchers.
Oracle has released an update to fix the issue in WebLogic. Users are advised to apply this update to stay protected from RCE and similar attacks.