Security researchers have shed more light on the cryptocurrency mining operation he ran 8220 gang exploiting known security flaws in Oracle WebLogic Server.
“The threat actor uses fileless execution techniques using DLL mapping and process injection, allowing the malware code to run exclusively in memory and avoid disk-based detection mechanisms,” Trend Micro researchers Ahmed Mohammed Ibrahim, Shubham Singh and Sunil Bharti said in a new analysis published today.
A cyber security firm is tracking a financially motivated actor known as Water Sigbin use a weapon of vulnerability in Oracle WebLogic Server, for example CVE-2017-3506, CVE- 2017-10271and CVE-2023-21839 to initially access and drop the Miner payload using a multi-stage download technique.
A successful anchoring follows deploying a PowerShell script which is responsible for removing a first-stage bootloader (“wireguard2-3.exe”) that mimics the legitimate WireGuard VPN application but actually runs another binary (“cvtres.exe”) in memory using a DLL (” Zxpus.dll” ).
The entered executable file serves as the download channel PureCrypter Downloader (“Tixrgtluffu.dll”), which in turn releases hardware information to a remote server and creates scheduled tasks to run the miner, and excludes malicious files from Microsoft Defender Antivirus.
In response, the command-and-control (C2) server responds with an encrypted message containing XMRig configuration details, after which the bootloader extracts and runs the miner from the attacker-controlled domain, issuing it as “AddinProcess.exe,” a legitimate Microsoft binary.
The development comes as the QiAnXin XLab team detailed a new installation tool used by the 8220 Gang called k4spreader since at least February 2024 to provide Tsunami DDoS botnet and PwnRig mining program.
The malware, which is currently in development and has a shell version, exploits security flaws such as Apache Hadoop YARN, JBossand Oracle WebLogic Server to penetrate sensitive targets.
“k4spreader is written in CGO, including saving the system, loading and updating itself, and releasing other malware to execute,” the company saidadding that it is also designed to disable the firewall, stop competing botnets (such as kinsing), and print operational status.