Cybersecurity firm Trend Micro has confirmed that attackers have been exploiting a vulnerability in the Oracle WebLogic server to install monero (XMR) mining malware, while using certificate files as an obfuscation trick. The news was revealed in a Trend Micro blog post published on June 10.
As previously reported, forms of stealth crypto mining are also referred to with the industry term cryptojacking — the practice of installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.
According to Trend Micro’s post, a security patch for theOracle WebLogic vulnerability (“CVE-2019-2725”) — reportedly caused by a deserialization error — was released in the national vulnerability database earlier this spring.
However, Trend Micro cites reports that emerged on the SANS ISC InfoSec forum alleging that the vulnerability has already been exploited for cryptojacking purposes, and confirms that it has verified and analyzed the allegations.
The firm notes that the identified attacks deployed what it describes as “an interesting twist” — namely that “the malware hides its malicious codes in certificate files as an obfuscation tactic”:
“The idea of using certificate files to hide malware is not a new one [...] By using certificate files for obfuscation purposes, a piece of malware can possibly evade detection since the downloaded file is in a certificate file format which is seen as normal -— especially when establishing HTTPS connections.”
Trend Micro’s analysis begins by noting that the malware exploits CVE-2019-2725 to execute a PowerShell command, prompting the download of a certificate file from the command-and-control server.
After continuing to trace its steps and characteristics — including the installation of the XMR miner payload — Micro Trend notes an apparent anomaly in its current deployment:
“[O]ddly enough, upon execution of the PS command from the decoded certificate file, other malicious files are downloaded without being hidden via the certificate file format mentioned earlier. This might indicate that the obfuscation method is currently being tested for its effectiveness, with its expansion to other malware variants pegged at a later date.”
The post concludes with a recommendation to firms using WebLogic Server to update their software to the latest version with the security patch in order to mitigate the risk of cryptojacking.
As recently reported, Trend Micro detected a major uptick in XMR cryptojacking targeting China-based systems this spring, in a campaign mimicking earlier activities that had used an obfuscated PowerShell script to deliver XMR-mining malware.