Security researchers have identified yet another cryptocurrency mining malware. This time it’s installing itself on enterprise application servers, and using a clever trick to remain hidden. If that wasn’t enough, the malware has already claimed its first major victim: Oracle servers.
The malware takes advantage of a common vulnerability and exploit that was first identified in April this year by researchers from cybersecurity firm Trend Micro. It attacks Oracle WebLogic Servers to install a Monero cryptocurrency mining bot.
Reports of the malware first surfaced on the SANS ISC InfoSec Forums last week. Trend Micro researchers verified that the exploit has been used to crypto-jack insecure Oracle servers.
In order to remain hidden, the malicious code is obscured in certificate files. This helps the malware go undetected by firewalls and antivirus software.
In short, the malware uses an exploit to execute an automated command, to download the malicious certificate file.
A decoding tool is used to read the certificate and change its name and extension to an update file. After the update file is executed, the certificate file is deleted, and another automated script is downloaded and executed.
It’s this second script that downloads and executes the cryptocurrency miner.
Using certificate files to hide malware is not a new technique, Trend Micro notes. Another security firm, Sophos, introduced a proof-of-concept which showed how Excel documents with macros embedded in certificate files could be used to evade detection.
To security software, certificate files are seen as normal, and so can house malicious files that go undetected, researchers say.
Oracle has already issued an update that addresses the malware’s attack vector. It is unclear if hackers have been able to earn any cryptocurrency from the attack.
It seems that crypto-jackers are keen on using obfuscation techniques to slip their cryptocurrency mining software into victims’ machines.
Last week, hackers were found to be using an imitation cryptocurrency trading website to sneak cryptocurrency stealing malware into users’ computers.
Published June 11, 2019 — 10:22 UTC