8220 Group Exploits Oracle WebLogic Server Vulnerabilities for Mining Cryptocurrency
A group known as the 8220 Group has been exploiting identified vulnerabilities in the Oracle WebLogic Server to mine cryptocurrency, according to security researchers.
“The criminal group uses innovative fileless execution methods, employing DLL reflective techniques and process injection, enabling the malicious code to operate exclusively in memory, thus avoiding detection mechanisms based on storage,” specified Trend Micro researchers Ahmed Mohamed Ibrahim, Shubham Singh, and Sunil Bharti in an analysis released today. indicated researchers.
The cybersecurity company has been monitoring the financially incentivized group, identified as Water Sigbin, which is recognized for leveraging vulnerabilities in Oracle WebLogic Server like CVE-2017-3506, CVE- 2017-10271, and CVE-2023-21839 for initial entry and dissemination of the mining payload via a multi-stage loading approach.
An initial foothold is followed by the use of a PowerShell script to distribute a first-stage loader (“wireguard2-3.exe”), which deceives as the legitimate WireGuard VPN application but actually triggers another binary (“cvtres.exe”) in-memory using a DLL (“Zxpus.dll”).
The injected program works as a bridge to introduce the PureCrypter loader (“Tixrgtluffu.dll”), which then transmits hardware information to a remote server and creates scheduled operations to run the miner as well as excludes the malicious files from Microsoft Defender Antivirus.
Upon receiving an encrypted response from the command-and-control (C2) server containing XMRig configuration specifics, the loader retrieves and operates the miner from a domain controlled by the attackers, disguising it as “AddinProcess.exe,” a legitimate Microsoft program.
This development coincides with the disclosure by the QiAnXin XLab team of a new deployment tool used by the 8220 Group named k4spreader since at least February 2024 to distribute the Tsunami DDoS botnet and the PwnRig mining software.
The malware, still in development and having a shell variant, has been utilizing vulnerabilities like Apache Hadoop YARN, JBoss, and Oracle WebLogic Server to infiltrate susceptible targets.
“k4spreader is coded in cgo and features functionalities for system persistence, self-downloading and updating, and deploying other malware for execution,” the organization stated, noted, also indicating its ability to disable the firewall, halt competing botnets (e.g., kinsing), and output operational details.
About Author
