A recently patched vulnerability in Oracle WebLogic is being exploited in attacks aimed at installing crypto-miners on vulnerable machines, Trend Micro reports.
Tracked as
CVE-2019-2725 and rated Critical severity,
the vulnerability was patched in late April, one week after proof-of-concept code for it was made public and cyber-criminals started abusing it in live attacks. A deserialization issue, the bug allows unauthenticated remote command execution.
The SANS Institute warned in late April that some of the attacks targeting the vulnerability involved crypto-currency miners and Trend Micro now confirms the attacks and says that analysis has revealed the used obfuscation technique: malicious code is hidden inside certificate files.
Once executed on the target machine, the malware exploits CVE-2019-2725 to execute a command and perform a series of routines.
At first, PowerShell is used to download a certificate file from the command and control (C&C) server, then the legitimate CertUtil tool is used to decode the file, which is then executed using PowerShell. The downloaded file is then deleted using cmd.
The certificate file looks like a normal Privacy-Enhanced Mail (PEM) format certificate, but it actually comes in the form of a PowerShell command instead of the commonly used X.509 TLS file format. The file requires to be decoded twice before the command is revealed, which is unusual since the command from the exploit only uses CertUtil once.
“There is also the possibility that the certificate file we downloaded is different from the file that was actually intended to be downloaded by the remote command, perhaps because it is continuously being updated by the threat actors,” Trend Micro’s security researchers
note.
