Oracle WebLogic Server susceptible to malware hiding in Certificate Files

January 6, 2020
oracle weblogic server malware certificate

Security researchers discovered a security vulnerability in Oracle WebLogic Server, a component of Oracle Fusion Middleware, and found to be actively exploited by cybercriminals to install cryptocurrency miners. This malware which was used in the attack hid in certificate files to avoid malware detection and later dropped miners for cryptocurrency known as Monero Miner. Tracked as CVE-2019-2725,the vulnerability is easily exploitable as this allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.When the attacker successfully exploited the attack, this vulnerability could result to takeover of the Oracle WebLogic Server.

To execute a PowerShell command, the malware exploits CVE-2019-2725to download the malicious code obscured in%APPDATA% using the file name cert.certo help the malware go undetected by firewalls and anti-malware programs.

The Certutil.exe, a command-line program that is installed as part of Certificate Services, is used to decode the certificate file. The extracted file is then saved as %APPDATA%\update.ps1. Using the Power Shell command, the newly created update.ps1 is then executed before the downloaded cert.cer file is deleted using cmd.

Cybersecurity researchers said in its report that when they downloaded the certificate file, they noticed that it looked like a normal Privacy-Enhanced Mail (PEM) format certificate. However, upon decoding the base64 content, it was found that, instead of the commonly used X.509 TLS file format, it comes in the form of the PS command.

The downloaded certificate file requires to be decoded twice before the PS command is revealed. This activity is unusual since the command from the exploit only uses CertUtil once.

They also added that there is a possibility that the downloaded certificate file is different from the file that was actually intended to be downloaded by the remote command, perhaps because it is continuously being updated by the threat actors. They also noted that using certificate files to hide malware is not a new technique. In fact, another security firm introduced a proof-of-concept which showed how Excel documents with macros embedded in certificate files could be used to evade malware detection.

Oracle has already issued an update that addresses the malware attack on its WebLogic Server. As of now, it is not yet clear if hackers have been able to earn any cryptocurrency from the attack.

About the author

Leave a Reply