CVE-2019-2725 Exploited and Certificate Files Used for Obfuscation to Deliver Monero Miner

description: In April 2019, a security advisory was released for CVE-2019-2725, a deserialization vulnerability involving the widely used Oracle WebLogic Server. Soon after the advisory was published, reports emerged on the SANS ISC InfoSec forums that the vulnerability was already being actively exploited to install cryptocurrency miners. We managed to confirm these reports after feedback from the Trend Micro™ Smart Protection Network™ security architecture revealed a similar cryptocurrency-mining activity involving the vulnerability, but with an interesting twist — the malware hides its malicious codes in certificate files as an obfuscation tactic.

publish date:

reference :

IOC Table
total 20
type value
domain pixeldrain.com
FileHash-SHA256 e4bc026aec8a76b887a8fc48726b9c48540fc2aa76eb8e61893da2ee6df6ab3a
FileHash-SHA256 4b9842b6be35665174c78c3e4063c645bd6e10eb333f68e4c7840fe823647bdf
FileHash-SHA256 3a567b7985b2da76db5e5a1d5554f7c13f375d88a27d6e6d108ad79e797adc9a
FileHash-SHA256 c30f42e6f638f3e8218caf73c2190d2a521304431994fd6efeef523cfbaa5e81
IPv4 45.32.28.187
IPv4 139.180.199.167
URL https://pixeldrain.com/api/file/TyodGuTm
URL http://139.180.199.167:1012/config.json
URL http://139.180.199.167:1012/sysupdate.exe
URL https://pixeldrain.com/api/file/cGsOoTyb/wujnEh-n1
URL http://45.32.28.187:1012
URL http://139.180.199.167:1012/sysguard.exe
URL https://pixeldrain.com/api/file/DF1zsieq1
URL https://pixeldrain.com/api/file/bg2Fh-d_
URL https://pixeldrain.com/api/file/cGsOoTyb
URL http://45.32.28.187:1012/cert.cer
URL http://139.180.199.167:1012/networkservice.exe
URL http://139.180.199.167:1012/update.ps1
URL http://139.180.199.167:1012/clean.bat