Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Oracle WebLogic Vulnerability Exploited in Attacks

A recently patched vulnerability in Oracle WebLogic is being exploited in attacks aimed at installing crypto-miners on vulnerable machines, Trend Micro reports.

A recently patched vulnerability in Oracle WebLogic is being exploited in attacks aimed at installing crypto-miners on vulnerable machines, Trend Micro reports.

Tracked as CVE-2019-2725 and rated Critical severity, the vulnerability was patched in late April, one week after proof-of-concept code for it was made public and cyber-criminals started abusing it in live attacks. A deserialization issue, the bug allows unauthenticated remote command execution. 

The SANS Institute warned in late April that some of the attacks targeting the vulnerability involved crypto-currency miners and Trend Micro now confirms the attacks and says that analysis has revealed the used obfuscation technique: malicious code is hidden inside certificate files. 

Once executed on the target machine, the malware exploits CVE-2019-2725 to execute a command and perform a series of routines. 

At first, PowerShell is used to download a certificate file from the command and control (C&C) server, then the legitimate CertUtil tool is used to decode the file, which is then executed using PowerShell. The downloaded file is then deleted using cmd.

The certificate file looks like a normal Privacy-Enhanced Mail (PEM) format certificate, but it actually comes in the form of a PowerShell command instead of the commonly used X.509 TLS file format. The file requires to be decoded twice before the command is revealed, which is unusual since the command from the exploit only uses CertUtil once. 

“There is also the possibility that the certificate file we downloaded is different from the file that was actually intended to be downloaded by the remote command, perhaps because it is continuously being updated by the threat actors,” Trend Micro’s security researchers note

Advertisement. Scroll to continue reading.

When executed, the command in the certificate file downloads and executes another PowerShell script in memory. The script then downloads and executes multiple files: Sysupdate.exe (Monero miner), Config.json (configuration file for the miner), Networkservice.exe (likely used for propagation and exploitation of WebLogic), Update.ps1 (the PowerShell script in memory), Sysguard .exe (watchdog for the miner process), and Clean.bat (deletes other components). 

Next, the update.ps1 file containing the decoded certificate file is replaced with the new update.ps1 and a scheduled task is created to execute the new PowerShell script every 30 minutes.

The use of certificate files to obfuscate malware allows attackers to evade detection and the idea is not new, but attacks to leverage it haven’t been observed before, or have been too few, Trend Micro notes. 

“However, oddly enough, upon execution of the PS command from the decoded certificate file, other malicious files are downloaded without being hidden via the certificate file format mentioned earlier. This might indicate that the obfuscation method is currently being tested for its effectiveness, with its expansion to other malware variants pegged at a later date,” the security researchers conclude. 

Related: Oracle Patches WebLogic Zero-Day Exploited in Attacks

Related: New Sodinokibi Ransomware Delivered via Oracle WebLogic Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.