A bug in LastPass leaks site credentials you've visited

A bug in LastPass leaks site credentials you've visited

LastPass password manager released an update last week to fix a security bug that reveals ...
Read More

Oil plants were attacked by drones

Saudi Arabia faced two major attacks on the weekend. Two large oil refineries have been attacked by ...
Read More

NAS devices: Research proves to be vulnerable to cyberattacks!

Obviously, not every machine or device connected to the Internet can be 100% secure. The...
Read More

How to make a career in ethical hacking: Skills and perspectives

Information Technology (IT) is one of the largest and most popular industries of our time, with an ever-expanding ...
Read More

iOS 13: Error allows bypass iPhone / iPad lock screen

Apple's iOS 13 has not yet been released (will be released on September 19) and the first bug has already been detected ...
Read More
Latest Posts

A defect in Oracle WebLogic is used in Cryptojacking campaigns


The newly discovered CVE-2019-2725 flaw in Oracle WebLogic, which received a patch a while ago, is still used in campaigns Cryptojacking, according to her security researchers Trend Micro.

It is about a zero day remote command execution vulnerability that affects the wls9_async and wls-wsat elements of Oracle Weblogic. All versions of Weblogic are susceptible to vulnerability, including the latter, which has wls9_async_response.war and wls-wsat.war enabled.

The error could be exploited by a hacker by sending a specially modified HTTP request.

While the CVE-2019-2725 bug was fixed at the end of April, a few days later, malware began using Oracle WebLogic Server vulnerability to spread the Sodinokibi ransomware.

Experts from the SANS Institute reported that the flaw was already being exploited by hackers to carry out Cryptojacking campaigns.

According to Trend Micro security experts, malware keeps its malicious code in certificate files in order to keep it hidden. Once the malware is installed in the system, it begins to exploit the error and initiates a series of chain attacks.

The attack starts with a PowerShell that downloads a certificate file from the C2 server. Malicious code uses the CertUtil tool to decode the file and then execute it using PowerShell. Then, the file you receive is deleted with cmd.

The certificate file appears as PEM (Privacy-Enhanced Mail).

The command in the certificate file is used by scammers to download and run another PowerShell script in memory. The script downloads and runs multiple files, such as Sysupdate.exe (Monero miner), Config.json (Miner configuration file), Networkservice.exe (probably used for WebLogic propagation and exploitation), Update.ps1 (PowerShell script for memory), Sysguard .exe (watchdog for mining process) and Clean.bat (deletes other items).

Experts found that the update.ps1 file containing the decoded certificate file is being replaced with the new update.ps1 and creating a scheduled task to run the new PowerShell script every 30 minutes.

Practical concealment of malicious code in certificates to prevent it from being traced is not new. Sophos has dealt with such a case in a test demonstration last year.

Do you have an opinion? Leave your comment.

The author allows you to copy his / her text only if you report the source (SecNews.gr), as an e-mail address (Live URL) of the article.
Updated on by
Absent Mia

About Absent Mia

Being your self, in a world that constantly tries to change you, is your greatest achievement

Reader Interactions

Leave a reply

Your email address is not published. Τα υποχρεωτικά πεδία σημειώνονται με *