Threat Management, Threat Management, Malware, Vulnerability Management

Adversaries exploit WebLogic bug to deliver cryptominer, use .cer files for obfuscation

Cybercriminals have been using a recently discovered critical vulnerability in the Oracle WebLogic server to deliver a Monero cryptomining program, while using certificate files to obfuscate malicious code.

Caused by a deserialization error, the flaw, CVE-2019-2725, was patched in an April 26 out-of-band security update. The SANS ISC InfoSec forums originally hosted reports of malicious actors exploiting the bug to install cryptominers, but today a new Trend Micro blog post has confirmed this activity, while also revealing the obfuscation trick.

"The idea of using certificate files to hide malware is not a new one," states the blog states, authored by Trend Micro researchers Mark Vicente, Johnlery Triunfante and Byron Gelera. "By using certificate files for obfuscation purposes, a piece of malware can possibly evade detection since the downloaded file is in a certificate file format which is seen as normal – especially when establishing HTTPS connections."

The infection chain begins when the malware exploits CVE-2019-2725 to execute a PowerShell command, resulting in the downloading of a certificate file from a C2 server. The malware then uses the command-line certificate management program CertUtil to decode the file, which is saved under a new name and executed before the original certificate file is deleted.

Trend Micro notes that the certificate file does not arrive in the commonly used X.509 TLS file format, but rather in the form of a PowerShell command. This command downloads another PowerShell script that downloads and executes the primary miner payload and other supporting files.

The same WebLogic vulnerability has also been exploited in a campaign to spread the recently discovered Sodinokibi ransomware.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.