News

8220 Gang Exploits Oracle WebLogic Server Flaws for Cryptocurrency Mining

Published

11 months ago

on

June 28, 2024Press RoomMalware/Cryptocurrency

Security researchers have shed more light on the cryptocurrency mining operation conducted by 8220 Band by exploiting known security flaws in Oracle WebLogic Server.

“The threat actor employs fileless execution techniques, using DLL reflection and process injection, allowing the malware code to execute exclusively in memory and avoiding disk-based detection mechanisms,” Trend Micro researchers Ahmed Mohamed Ibrahim, Shubham Singh and Sunil Bharti She said in a new analysis published today.

The cybersecurity firm is monitoring the financially motivated actor with the name Water Sigbin, known for turning vulnerabilities into weapons in Oracle WebLogic Server as CVE-2017-3506, CVE-2017-10271AND CVE-2023-21839 for initial login and release the miner’s payload via a multi-phase loading technique.

A successful foothold is followed by PowerShell script deployment which is responsible for dropping a first-stage loader (“wireguard2-3.exe”) that mimics the legitimate WireGuard VPN application, but, in reality, launches another binary (“cvtres.exe”) in memory via a DLL (“Zxpus.dll”).

The injected executable acts as a conduit to load the file PureCrypter loader (“Tixrgtluffu.dll”) which, in turn, exfiltrates hardware information on a remote server and creates scheduled tasks to execute the miner, as well as excludes malicious files from Microsoft Defender Antivirus.

In response, the command and control (C2) server responds with an encrypted message containing the XMRig configuration details, following which the loader fetches and executes the miner from an attacker-controlled domain masquerading as “AddinProcess.exe,” a legitimate Microsoft binary.

The development comes as the QiAnXin XLab team has detailed a new installation tool used by the 8220-band called k4spreader since at least February 2024 to provide the Tsunami DDoS botnets and PwnRig mining program.

The malware, which is currently under development and has a shell version, exploits security flaws such as Apache Hadoop Yarn, JBossAND Oracle WebLogic Server to infiltrate vulnerable targets.

“k4spreader is written in cgo, including system persistence, downloading and updating itself, and dropping other malware for execution,” the company says She saidadding that it is also designed to disable the firewall, terminate rival botnets (e.g., kinsing), and print operational status.

Did you find this article interesting? Follow us on Chirping AND LinkedIn to read other exclusive content we publish.


Fuente

Related Topics:

Leave a Reply

Your email address will not be published. Required fields are marked *

Información básica sobre protección de datos Ver más

  • Responsable: Miguel Mamador.
  • Finalidad:  Moderar los comentarios.
  • Legitimación:  Por consentimiento del interesado.
  • Destinatarios y encargados de tratamiento:  No se ceden o comunican datos a terceros para prestar este servicio. El Titular ha contratado los servicios de alojamiento web a Banahosting que actúa como encargado de tratamiento.
  • Derechos: Acceder, rectificar y suprimir los datos.
  • Información Adicional: Puede consultar la información detallada en la Política de Privacidad.

Trending

Exit mobile version