8220 Gang Exploits Oracle WebLogic Server Flaws for Cryptocurrency Mining

Avatar
Security researchers have shed more light on the cryptocurrency mining operation conducted by the 8220 Gang by exploiting known security flaws in the Oracle WebLogic Server. “The threat actor employs fileless execution techniques, using DLL reflective and process injection, allowing the malware code to run solely in memory and avoid disk-based detection mechanisms,” Trend Micro researchers Ahmed

Security researchers have shed more light on the cryptocurrency mining operation conducted by the 8220 Gang by exploiting known security flaws in the Oracle WebLogic Server.

“The threat actor employs fileless execution techniques, using DLL reflective and process injection, allowing the malware code to run solely in memory and avoid disk-based detection mechanisms,” Trend Micro researchers Ahmed Mohamed Ibrahim, Shubham Singh, and Sunil Bharti said in a new analysis published today.

The cybersecurity firm is tracking the financially motivated actor under the name Water Sigbin, which is known to weaponize vulnerabilities in Oracle WebLogic Server such as CVE-2017-3506, CVE- 2017-10271, and CVE-2023-21839 for initial access and drop the miner payload via multi-stage loading technique.

A successful foothold is followed by the deployment of PowerShell script that’s responsible for dropping a first-stage loader (“wireguard2-3.exe”) that mimics the legitimate WireGuard VPN application, but, in reality, launches another binary (“cvtres.exe”) in memory by means of a DLL (“Zxpus.dll”).

The injected executable serves as a conduit to load the PureCrypter loader (“Tixrgtluffu.dll”) that, in turn, exfiltrates hardware information to a remote server and creates scheduled tasks to run the miner as well as excludes the malicious files from Microsoft Defender Antivirus.

In response, the command-and-control (C2) server responds with an encrypted message containing the XMRig configuration details, following which the loader retrieves and executes the miner from an attacker-controlled domain by masquerading it as “AddinProcess.exe,” a legitimate Microsoft binary.

The development comes as the QiAnXin XLab team detailed a new installer tool used by the 8220 Gang called k4spreader since at least February 2024 to deliver the Tsunami DDoS botnet and the PwnRig mining program.

The malware, which is currently under development and has a shell version, has been leveraging security flaws such as Apache Hadoop YARN, JBoss, and Oracle WebLogic Server to infiltrate susceptible targets.

“k4spreader is written in cgo, including system persistence, downloading and updating itself, and releasing other malware for execution,” the company said, adding it’s also designed to disable the firewall, terminate rival botnets (e.g., kinsing), and printing operational status.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Combatting the Evolving SaaS Kill Chain: How to Stay Ahead of Threat Actors

Next Post

GitLab Releases Patch for Critical CI/CD Pipeline Vulnerability and 13 Others

Related Posts

Muhstik Botnet Exploiting Apache RocketMQ Flaw to Expand DDoS Attacks

The distributed denial-of-service (DDoS) botnet known as Muhstik has been observed leveraging a now-patched security flaw impacting Apache RocketMQ to co-opt susceptible servers and expand its scale. "Muhstik is a well-known threat targeting IoT devices and Linux-based servers, notorious for its ability to infect devices and utilize them for cryptocurrency mining and launching Distributed Denial
Avatar
Read More