Security researchers have uncovered a cryptocurrency mining operation conducted by the 8220 gang that exploits vulnerabilities in Oracle WebLogic Server. Known as Water Sigbin, the threat actor uses fileless execution techniques to bypass detection mechanisms, allowing the malware code to run solely in memory.
The initial access is gained through vulnerabilities such as CVE-2017-3506, CVE-2017-10271, and CVE-2023-21839, followed by a multi-stage loading technique to drop the miner payload. The malware employs PowerShell scripts to remove first-stage loaders and launch other executables in memory via DLL injection.
The PureCrypter Charger is then initiated, leaking hardware information to a remote server and creating scheduled tasks to run the miner while evading detection by Microsoft Defender Antivirus. The loader retrieves XMRig configuration details from a C2 server before running the miner from a malicious domain disguised as a legitimate Microsoft binary.
In a separate development, the 8220 Gang has been using a new installation tool called k4spreader since February 2024 to deliver the tsunami DDoS Botnet and the Rig mining program. Exploiting vulnerabilities in Apache Hadoop YARN, JBoss, and Oracle WebLogic Server, k4spreader is designed for system persistence, automatic download and update, and dropping other malware for execution.
The tool also aims to disable firewalls, eliminate rival botnets, such as kinsing, and provide operational status updates. This latest revelation adds to the ongoing threat posed by cybercriminals exploiting security flaws to conduct financially motivated attacks.
For more exclusive content and updates, follow us on Twitter and LinkedIn.
Article Source
https://thehackernews.com/2024/06/8220-gang-exploits-oracle-weblogic.html