From blog.trendmicro.com
In April 2019, a security advisory was released for CVE-2019-2725, a deserialization vulnerability involving the widely used Oracle WebLogic Server. Soon after the advisory was published, reports emerged on the SANS ISC InfoSec forums that the vulnerability was already being actively exploited to install cryptocurrency miners. We managed to confirm these reports after feedback from the Trend Micro™ Smart Protection Network™ security architecture revealed a similar cryptocurrency-mining activity involving the vulnerability, but with an interesting twist — the malware hides its malicious codes in certificate files as an obfuscation tactic.