Bug in WebLogic Server Used to Install Malware
According to a blog post published by Trend Micro on June 10, attackers have been taking advantage of a bug in Oracle’s WebLogic server and using it to install a Monero (XMR) mining malware. The malware also uses certificate files to obscure its trail.
Cryptojacking, which is the process of mining cryptocurrencies stealthily, is done by installing malware that utilizes a computer’s own processing power to mine cryptos without the user’s consent or knowledge.
Deserialization Error
The flaw that was discovered in the WebLogic server was caused by a deserialization error termed CVE-2019-2725. The bug was patched during an out-of-band security update on April 26.
However, despite the patch, Trend Micro revealed reports from the SANS ISC InfoSec Forum that stated that the vulnerability had already been exploited for cryptojacking. Trend Micro stated that it had already investigated these claims and verified that they were true.
The analytics firm noted that these stealth attacks came with an interesting twist – they were using the computers’ certificate files to hide the malicious code. The company stated that using certificate files to hide malware was not a new idea.
The downloaded malware in a certificate file format would be seen by the system as normal, especially when an HTTPS connection was being established. This would therefore enable the malicious code to avoid detection.
How it Works
The analysis conducted by Trend Micro showed that the malware exploited the CVE-2019-2725 bug to carry out a PowerShell command. This would lead to a certificate files being downloaded from WebLogic’s command-and-control server.
Trend Micro highlighted an interesting aspect of this malware. After the PS command was executed from the decoded certificate file, other malware files were also downloaded. However, these files were not disguised as certificate files.
The firm concluded that this could be because the obfuscation method was being tested by the attackers for effectiveness, and that depending on how successful this method was, it would be replicated for other variants of malware at a later date.
Next Steps
Trend Micro concluded its post by advising companies using Oracle’s WebLogic server to ensure that their software was updated to the latest version that had the security patch so that the risk of a malware attack was mitigated.
Trend Micro also recently revealed an increase in XMR-related cryptojacking, focused on China-based computer systems. These attacks mimicked earlier cryptojacking activities that had used obfuscated PS scripts to download XRM-mining malware.