8220 Gang Uses Oracle WebLogic Server Errors to Mine Cryptocurrency

8220 Gang Uses Oracle WebLogic Server Errors to Mine Cryptocurrency

8220 Gang Uses Oracle WebLogic Server Errors to Mine Cryptocurrency

By taking advantage of vulnerabilities that are already known to exist in the Oracle WebLogic Server, security researchers have been able to shed more light on the Bitcoin mining operation that was carried out by the 8220 Gang.

“The threat actor relies on fileless execution techniques, using DLL reflective and process injection,” researchers from Trend Micro Ahmed Mohamed Ibrahim, Shubham Singh, and Sunil Bharti said in a new analysis that was published on June 28th, 2024. “This allows the malware code to run solely in memory and avoid detection mechanisms that are based on disks.”

The cybersecurity company is keeping an eye on the actor known as Water Sigbin, who has been known to weaponize flaws in Oracle WebLogic Server such as CVE-2017-3506, CVE-2017-10271, and CVE-2023-21839 for initial access and drop the miner payload through the use of a multi-stage loading technique. Water Sigbin is financially motivated.

A successful foothold is then followed by the deployment of a PowerShell script that is responsible for dropping a first-stage loader (named “wireguard2-3.exe”) that imitates the genuine WireGuard VPN application. However, in reality, it launches another binary (named “cvtres.exe”) in memory by use of a dynamic link library (named “Zxpus.dll”).

For the purpose of loading the PureCrypter loader (also known as “Tixrgtluffu.dll”), the program that was injected acts as a conduit. This loader, in turn, exfiltrates hardware details to a remote server, establishes scheduled tasks to start the miner, and excludes harmful files from Microsoft Defender Antivirus.

In response, the command-and-control (C2) server responds with an encrypted message providing the XMRig configuration parameters, following which the loader gets and executes the miner from an attacker-controlled domain by disguising it as “AddinProcess.exe,” a valid Microsoft file.

The breakthrough comes at the same time as the QiAnXinXLab team shared information about a new installer tool known as k4spreader that has been utilized by the 8220 Gang since at least February 2024 in order to deliver the Tsunami DDoS botnet and the PwnRig mining program.

The malicious software, which is now in the process of being developed and comes in a shell form, has been exploiting vulnerabilities in software applications including Apache Hadoop YARN, JBoss, and Oracle WebLogic Server in order to enter vulnerable targets.

The company stated that “k4spreader is written in cgo, comprising system persistence, downloading and updating itself, and releasing other malware for execution.” In addition, the company stated that it is designed to deactivate the firewall, terminate competing botnets (such as kinsing), and report the operational status.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM.  Naager entered the field of content in an unusual way.  He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts.  He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field.  In the bottom line, he frequently writes for Craw Security.


Hijacked Polyfill Supply Chain Attack Impacts More Than 110,000 Websites

Huge BSNL Data Leak Reveals Millions to Financial Fraud and SIM Card Cloning As Per A Threat Report

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?