8220 Gang used new ScrubCrypt crypter in recent cryptojacking attacks

A
threat
actor
tracked
as
8220
Gang
has
been
spotted
using
a
new
crypter
called
ScrubCrypt
in
cryptojacking
campaigns.

Fortinet
researchers
observed
the
mining
group
8220
Gang
using
a
new
crypter
called
ScrubCrypt
in
cryptojacking
attacks.

“Between
January
and
February
2023,
FortiGuard
Labs
observed
a
payload
targeting
an
exploitable
Oracle
Weblogic
Server
in
a
specific
URI.”
reads
the


analysis
published
by
Fortinet.
“This
payload
extracts
ScrubCrypt,
which
obfuscates
and
encrypts
applications
and
makes
them
able
to
dodge
security
programs.
It
already
has
an
updated
version,
and
the
seller’s
webpage
(Figure
1)
guarantees
that
it
can
bypass
Windows
Defender
and
provide
anti-debug
and
some
bypass
functions.”

The
group
is
known
for
exploiting
publicly
disclosed
vulnerabilities
to
compromise
targets.

Between
January
and
February,
the
experts
observed
attacks
originating
from
163[.]123[.]142[.]210
and
185[.]17[.]0[.]19
that
targeted
an
HTTP
URI,
“wls-wsat/CoordinatorPortType.”
This
URI
belongs
to
an
Oracle
Weblogic
server.

Upon
successful
exploitation
of
vulnerable
Oracle
WebLogic
servers,
it
will
download
a
PowerShell
script,
named
“bypass.ps1,”
which
contains
the
ScrubCrypt
crypter.

The
PowerShell
script
is
encoded
to
avoid
detection
by
AntiVirus
solutions.

The
ScrubCrypt
crypter
is
available
for
sale
on
hacking
forums,
it
allows
securing
applications
with
a
unique
BAT
packing
method.

The
experts
noticed
that
encrypted
data
at
the
top
can
be
split
into
four
parts
using
backslash
“”.
The
final
two
parts
are
the
key
and
initial
value
for
AES
CBC
decryption.

The
attribution
of
the
attacks
to
the
8220
Gang
is
also
based
on
the
crypto
wallet
address
used
in
the
recent
campaigns
and
the
server
IP
address
used
in
the
Monero
miner.

“The
crypto
wallet
address, 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ,
and
the
server
IP
address
used
in
Monero
miner
have
all
been
used
by
the
8220
Gang
in
the
past.”
concludes
the
report.
“It’s
why
we
believe
the
whole
attack
was
launched
by
this
threat
actor,
although
the
port
number
used
is
no
longer
8220.”

“8220
Gang
is
a
well-known
miner
group
that
usually
leverages
public
file-sharing
websites
and
targets
system
vulnerabilities
to
infiltrate
a
victim’s
environment.
Within
a
very
short
time,
it
has
evolved
to
use
a
newer
crypter
variant,
“ScrubCrypt.” 

Follow
me
on
Twitter:


@securityaffairs
and


Facebook
and


Mastodon

Pierluigi Paganini

(SecurityAffairs –

hacking,
ScrubCrypt)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts