A recently patched vulnerability in Oracle WebLogic is being exploited in attacks aimed at installing crypto-miners on vulnerable machines, Trend Micro reports.

Tracked as CVE-2019-2725 and rated Critical severity, the vulnerability was patched in late April, one week after proof-of-concept code for it was made public and cyber-criminals started abusing it in live attacks. A deserialization issue, the bug allows unauthenticated remote command execution. 

The SANS Institute warned in late April that some of the attacks targeting the vulnerability involved crypto-currency miners and Trend Micro now confirms the attacks and says that analysis has revealed the used obfuscation technique: malicious code is hidden inside certificate files. 

Once executed on the target machine, the malware exploits CVE-2019-2725 to execute a command and perform a series of routines. 

At first, PowerShell is used to download a certificate file from the command and control (C&C) server, then the legitimate CertUtil tool is used to decode the file, which is then executed using PowerShell. The downloaded file is then deleted using cmd.

The certificate file looks like a normal Privacy-Enhanced Mail (PEM) format certificate, but it actually comes in the form of a PowerShell command instead of the commonly used X.509 TLS file format. The file requires to be decoded twice before the command is revealed, which is unusual since the command from the exploit only uses CertUtil once. 

“There is also the possibility that the certificate file we downloaded is different from the file that was actually intended to be downloaded by the remote command, perhaps because it is continuously being updated by the threat actors,” Trend Micro’s security researchers note. 

When executed, the command in the certificate file downloads and executes another PowerShell script in memory. The script then downloads and executes multiple files: Sysupdate.exe (Monero miner), Config.json (configuration file for the miner), Networkservice.exe (likely used for propagation and exploitation of WebLogic), Update.ps1 (the PowerShell script in memory), Sysguard .exe (watchdog for the miner process), and Clean.bat (deletes other components). 

Next, the update.ps1 file containing the decoded certificate file is replaced with the new update.ps1 and a scheduled task is created to execute the new PowerShell script every 30 minutes.

The use of certificate files to obfuscate malware allows attackers to evade detection and the idea is not new, but attacks to leverage it haven’t been observed before, or have been too few, Trend Micro notes. 

“However, oddly enough, upon execution of the PS command from the decoded certificate file, other malicious files are downloaded without being hidden via the certificate file format mentioned earlier. This might indicate that the obfuscation method is currently being tested for its effectiveness, with its expansion to other malware variants pegged at a later date,” the security researchers conclude. 

Related: Oracle Patches WebLogic Zero-Day Exploited in Attacks

Related: New Sodinokibi Ransomware Delivered via Oracle WebLogic Flaw