Cybercriminals have been using a recently discovered critical vulnerability in the Oracle WebLogic server to deliver a Monero cryptomining program, while using certificate files to obfuscate malicious code.
Caused by a deserialization error, the flaw, CVE-2019-2725, was patched in an April 26 out-of-band security update. The SANS ISC InfoSec forums originally hosted reports of malicious actors exploiting the bug to install cryptominers, but today a new Trend Micro blog post has confirmed this activity, while also revealing the obfuscation trick.
"The idea of using certificate files to hide malware is not a new one," states the blog states, authored by Trend Micro researchers Mark Vicente, Johnlery Triunfante and Byron Gelera. "By using certificate files for obfuscation purposes, a piece of malware can possibly evade detection since the downloaded file is in a certificate file format which is seen as normal – especially when establishing HTTPS connections."
The infection chain begins when the malware exploits CVE-2019-2725 to execute a PowerShell command, resulting in the downloading of a certificate file from a C2 server. The malware then uses the command-line certificate management program CertUtil to decode the file, which is saved under a new name and executed before the original certificate file is deleted.
Trend Micro notes that the certificate file does not arrive in the commonly used X.509 TLS file format, but rather in the form of a PowerShell command. This command downloads another PowerShell script that downloads and executes the primary miner payload and other supporting files.
The same WebLogic vulnerability has also been exploited in a campaign to spread the recently discovered Sodinokibi ransomware.