A vulnerability in Oracle WebLogic Server is being used to install malicious miners, according to Trend Micro. The vulnerability is being actively exploited to set up Monero mining operations on unsuspecting computers.

In April 2019, security notice on CVE-2019-2725 was put out by the National Vulnerability Database regarding a serious issue in the Oracle WebLogic Server component of Oracle Fusion Middleware. The versions affected are 10.3.6.00 and 12.1.3.0.0. The exploit allows attackers to access the network via HTTP to compromise the server.

According to the notice, the vulnerability allows for a takeover of Oracle WebLogic Server.

However, an investigation by Trend Micro revealed that the issue is far deeper than first thought. In fact, it was being exploited to set up Monero miners on unsuspecting systems.

Malicious Miners Exploit Vulnerability

The installation of these malicious miners is apparently quite easy.

First, the malware exploits CVE-2019-2725 with a specific command function which forces the system to download a certificate file and save it under %APPDATA% with the file name cert.cer. This was detected by Trend Micro as Coinminer.Win32.MALXMR.TIAOODCJ.component. Although deeply embedded and made to look like a normal Privacy-Enhanced Mail (PEM) certificate, the miner is embedded within it.

This certificate is responsible for downloading and executing files relating to the XMR miner payload, the config file for the miner, and other files.

It’s unclear how many systems were affected by this breach and how many may still be mining XMR unintentionally.

Hidden Threats

The trouble with this particular vulnerability is that it demonstrates how easy certificate files can be used to obfuscate hidden threats. For example, a certificate file can avoid detection by appearing to be “normal.” Yet, Trend Micro has now discovered that such files can easily contain malicious directives for hidden miners.

As this exploit catches on, we can likely see more hackers embed mining operations within unsuspecting certificates. The discovery is sure to cause a headache for not just Oracle, but other database management systems.

Have you ever been subject to a malicious attack which implanted a hidden miner on your system? How do you protect against it? Let us know your thoughts below.