The CVE-2019-2725 vulnerability which is exhibited in the Oracle WebLogic Server application was abused by hackers leading to Monero miner infections. Several security reports indicate that criminal groups are taking advantage of the bug and are set onto infecting as many computer users as possible with cryptocurrency miners.
Oracle WebLogic Server Flaw and Its CVE-2019-2725 Bug Are Used To Infect Hosts With Monero Miners
The Oracle WebLogic Server as one of the most widely used enterprise solutions has been found to be impacted with a dangerous flaw. It is being tracked in the CVE-2019-2725 advisory which shows how the server can be hacked by malicious users. Using the fault the remote attackers can start a PowerShell command on the server which will trigger a payload download of a certificate file to the host. The certification utility will then decode the contents of the file which will lead to an uncompressed file. In the current attack the final payload is a Monero miner.
During this particular campaign the following list of files have been deployed onto the victim computers:
- Sysupdate.exe — This is the main Monero miner file
- Config.json — This is the accompanying configuration file
- Networkservce.exe — This is another module which is probably being used for the distribution of the payloads.
- Update.ps1 — This file contains the PowerShell script which is run in memory.
- Sysguard.exe #— This is the watchdog that monitors the activity of the Monero miner.
- Clean.bat — This is the clean-up utility.
The defining characteristic of this campaign is that the obfuscation technique is done via the security certificate files. The cryptocurrency miner code will be installed as a persistent threat thereby making it very difficult to remove. As always the presence of such malicious code will start a sequence of tasks that will place a heavy toll on the performance and stability of the system. Whenever one of them is reported as complete the criminals will receive income in the form of cryptocurrency that will be directly transferred to their wallets. Oracle have patched the vulnerability and are urging customers to update their installations as soon as possible.