"Election" hacking has never been simpler than it is today!

"Election" hacking has never been simpler than it is today!

Being a professional hacker has never been easier and more profitable than it is today. According to...
Read More

A new Android Trojan misleads users through notifications

A new Android Trojan discovered by security researchers on the Google Play Store uses false notifications to redirect their ...
Read More

Europol: Training of police officers with ....... a game!

In recent years, cryptocurrencies are a frequent target of hackers' attacks. For this reason, Europol has decided to train ...
Read More

Dark Web: Selling drugs in exchange for Bitcoins. Now prison!

We know that Dark Web is mainly used by hackers and people who are interested in doing illegal online activities. These people are using ...
Read More

Twitter: Deleting thousands of fake Iranian and Russian accounts

One of the most common means of spreading misinformation and political propaganda is social media. Twitter found, ...
Read More
Latest Posts

A defect in Oracle WebLogic is used in Cryptojacking campaigns


The newly discovered CVE-2019-2725 flaw in Oracle WebLogic, which received a patch a while ago, is still used in campaigns Cryptojacking, according to her security researchers Trend Micro.

It is about a zero day remote command execution vulnerability that affects the wls9_async and wls-wsat elements of Oracle Weblogic. All versions of Weblogic are susceptible to vulnerability, including the latter, which has wls9_async_response.war and wls-wsat.war enabled.

The error could be exploited by a hacker by sending a specially modified HTTP request.

While the CVE-2019-2725 bug was fixed at the end of April, a few days later, malware began using Oracle WebLogic Server vulnerability to spread the Sodinokibi ransomware.

Experts from the SANS Institute reported that the flaw was already being exploited by hackers to carry out Cryptojacking campaigns.

According to Trend Micro security experts, malware keeps its malicious code in certificate files in order to keep it hidden. Once the malware is installed in the system, it begins to exploit the error and initiates a series of chain attacks.

The attack starts with a PowerShell that downloads a certificate file from the C2 server. Malicious code uses the CertUtil tool to decode the file and then execute it using PowerShell. Then, the file you receive is deleted with cmd.

The certificate file appears as PEM (Privacy-Enhanced Mail).

The command in the certificate file is used by scammers to download and run another PowerShell script in memory. The script downloads and runs multiple files, such as Sysupdate.exe (Monero miner), Config.json (Miner configuration file), Networkservice.exe (probably used for WebLogic propagation and exploitation), Update.ps1 (PowerShell script for memory), Sysguard .exe (watchdog for mining process) and Clean.bat (deletes other items).

Experts found that the update.ps1 file containing the decoded certificate file is being replaced with the new update.ps1 and creating a scheduled task to run the new PowerShell script every 30 minutes.

Practical concealment of malicious code in certificates to prevent it from being traced is not new. Sophos has dealt with such a case in a test demonstration last year.

Do you have an opinion? Leave your comment.

The author allows you to copy his / her text only if you report the source (SecNews.gr), as an e-mail address (Live URL) of the article.
Updated on by

Reader Interactions

Leave a reply

Your email address is not published. Τα υποχρεωτικά πεδία σημειώνονται με *