India develops a database of IMEI numbers to track stolen telephones
infosec

India develops a database of IMEI numbers to track stolen telephones

Nowadays, we all have a cell phone (maybe more). Many have experienced the unpleasant experience of ...
Read More
infosec

CISA warns of techniques used by Iranian hackers

CISA warns of increased cyber-activity by Iranian hackers and urges US companies to take protective ...
Read More
infosec

Report: Critical security vulnerabilities in Android and iOS apps

Most tests on iOS and Android apps show that the most common security issue faced by apps for ...
Read More
infosec

TripAdvisor: Cancels broken members' passwords

Making attacks through the theft of credentials by hackers is a very common phenomenon. It is also customary to publish these ...
Read More
infosec

The Pentagon: Does cyber-war start with Iran and why?

The Pentagon: The US government launched a digital strike against an Iranian espionage team, which is responsible for the attacks ...
Read More
Latest Posts

A defect in Oracle WebLogic is used in Cryptojacking campaigns

WebLogic

The newly discovered CVE-2019-2725 flaw in Oracle WebLogic, which received a patch a while ago, is still used in campaigns Cryptojacking, according to her security researchers Trend Micro.

It is about a zero day remote command execution vulnerability that affects the wls9_async and wls-wsat elements of Oracle Weblogic. All versions of Weblogic are susceptible to vulnerability, including the latter, which has wls9_async_response.war and wls-wsat.war enabled.

The error could be exploited by a hacker by sending a specially modified HTTP request.

While the CVE-2019-2725 bug was fixed at the end of April, a few days later, malware began using Oracle WebLogic Server vulnerability to spread the Sodinokibi ransomware.

Experts from the SANS Institute reported that the flaw was already being exploited by hackers to carry out Cryptojacking campaigns.

According to Trend Micro security experts, malware keeps its malicious code in certificate files in order to keep it hidden. Once the malware is installed in the system, it begins to exploit the error and initiates a series of chain attacks.

The attack starts with a PowerShell that downloads a certificate file from the C2 server. Malicious code uses the CertUtil tool to decode the file and then execute it using PowerShell. Then, the file you receive is deleted with cmd.

The certificate file appears as PEM (Privacy-Enhanced Mail).

The command in the certificate file is used by scammers to download and run another PowerShell script in memory. The script downloads and runs multiple files, such as Sysupdate.exe (Monero miner), Config.json (Miner configuration file), Networkservice.exe (probably used for WebLogic propagation and exploitation), Update.ps1 (PowerShell script for memory), Sysguard .exe (watchdog for mining process) and Clean.bat (deletes other items).

Experts found that the update.ps1 file containing the decoded certificate file is being replaced with the new update.ps1 and creating a scheduled task to run the new PowerShell script every 30 minutes.

Practical concealment of malicious code in certificates to prevent it from being traced is not new. Sophos has dealt with such a case in a test demonstration last year.

Share
Do you have an opinion? Leave your comment.

The author allows you to copy his / her text only if you report the source (SecNews.gr), as an e-mail address (Live URL) of the article.
Updated on by

Reader Interactions

Leave a reply

Your email address is not published. Τα υποχρεωτικά πεδία σημειώνονται με *