It is about a zero day remote command execution vulnerability that affects the wls9_async and wls-wsat elements of Oracle Weblogic. All versions of Weblogic are susceptible to vulnerability, including the latter, which has wls9_async_response.war and wls-wsat.war enabled.
The error could be exploited by a hacker by sending a specially modified HTTP request.
While the CVE-2019-2725 bug was fixed at the end of April, a few days later, malware began using Oracle WebLogic Server vulnerability to spread the Sodinokibi ransomware.
Experts from the SANS Institute reported that the flaw was already being exploited by hackers to carry out Cryptojacking campaigns.
According to Trend Micro security experts, malware keeps its malicious code in certificate files in order to keep it hidden. Once the malware is installed in the system, it begins to exploit the error and initiates a series of chain attacks.
The attack starts with a PowerShell that downloads a certificate file from the C2 server. Malicious code uses the CertUtil tool to decode the file and then execute it using PowerShell. Then, the file you receive is deleted with cmd.
The certificate file appears as PEM (Privacy-Enhanced Mail).
The command in the certificate file is used by scammers to download and run another PowerShell script in memory. The script downloads and runs multiple files, such as Sysupdate.exe (Monero miner), Config.json (Miner configuration file), Networkservice.exe (probably used for WebLogic propagation and exploitation), Update.ps1 (PowerShell script for memory), Sysguard .exe (watchdog for mining process) and Clean.bat (deletes other items).
Experts found that the update.ps1 file containing the decoded certificate file is being replaced with the new update.ps1 and creating a scheduled task to run the new PowerShell script every 30 minutes.
Practical concealment of malicious code in certificates to prevent it from being traced is not new. Sophos has dealt with such a case in a test demonstration last year.