Trend Micro Discovers Attackers Going After Oracle WebLogic Server in Latest Cryptojacking Ordeal
- Trend Micro discovered cryptojacking malware within the Oracle WebLogic server.
- The malware discovered uses certificate files to conceal the mining activities and the installment of malware.
Trend Micro Discovers Malware on Oracle WebLogic Server
Malware infecting cryptocurrency platforms and servers are nothing new, which is why Trend Micro continues to search for vulnerabilities online. The cybersecurity firm has performed some investigative work on the Oracle WebLogic server, finding that there is a vulnerability that attackers have been exploiting to install Monero mining malware. As an obfuscation trick, the attackers are taking advantage of certificate files, which Trend Micro revealed through a blog post on June 10th.
This process of hiding mining malware in a computer system is also known as cryptojacking, taking advantage of the victim’s processing power without any knowledge of the owner of the device. The post from Trend Micro explains that there is a security patch for the vulnerability was released in the spring in the national vulnerability database.
Allegedly, the original vulnerability was caused by a deserialization error. However, there were reports that came out on the SANS ISC InfoSec forum, explaining that the vulnerability already has been exploited to open the door for cryptojacking purposes.
How Malware Programs Are Able to Avoid Detection
Right now, rather than just hiding the malware in the computer network, the firm explained that there is an “interesting twist,” specifying that the code is hidden within certificate files. The blog further explains,
“The idea of using certificate files to hide malware is not a new one […] By using certificate files for obfuscation purposes, a piece of malware can possibly evade detection since the downloaded file is in a certificate file format which is seen as normal -— especially when establishing HTTPS connections.”
A PowerShell command is executed by the exploitation of CVE-2019-2725. This command then prompts a certificate file to be downloaded from the command-and-control server. Micro Trend continued on in the blog, tracing the steps and reaction of the malware, but the firm explained that the malware had an anomaly in the way that the deployment of the malware occurs.
The blog continues,
“[O]ddly enough, upon execution of the PS command from the decoded certificate file, other malicious files are downloaded without being hidden via the certificate file format mentioned earlier. This might indicate that the obfuscation method is currently being tested for its effectiveness, with its expansion to other malware variants pegged at a later date.”
Ultimately, Trend Micro recommended that firms that are still linked with the WebLogic software install the latest update, which includes a security patch. This patch reduces the risk of cryptojacking. Previously, Trend Micro had recently found that there was a major surge in the XMR cryptojacking that is impacting systems in China, which also used an obfuscated PowerShell script to implement the malware.