8220 Gang Exploits Oracle WebLogic Server Flaws for Cryptocurrency Mining

01.07.2024

Security researchers have provided additional insights into the cryptocurrency mining activities of the 8220 Gang, which exploits known vulnerabilities in Oracle WebLogic Server.

Trend Micro’s Ahmed Mohamed Ibrahim, Shubham Singh, and Sunil Bharti have noted in their latest analysis that the group uses fileless execution techniques. This includes DLL reflective and process injection methods, which allow the malware to run in memory, evading disk-based detection.

The group, referred to as Water Sigbin, targets vulnerabilities such as CVE-2017-3506, CVE-2017-10271, and CVE-2023-21839 in Oracle WebLogic Server to gain initial access. They use a multi-stage loading technique to deliver the miner payload.

Once a foothold is established, a PowerShell script drops a first-stage loader (“wireguard2-3.exe”) that appears to be the legitimate WireGuard VPN application. However, it actually launches another binary (“cvtres.exe”) in memory through a DLL (“Zxpus.dll”). This executable then loads the PureCrypter loader (“Tixrgtluffu.dll”), which exfiltrates hardware information to a remote server, creates scheduled tasks to run the miner, and excludes the malicious files from Microsoft Defender Antivirus.

The command-and-control server then sends an encrypted message with XMRig configuration details, after which the loader retrieves and executes the miner, masquerading as “AddinProcess.exe,” a legitimate Microsoft binary.

Additionally, QiAnXin XLab has reported that since February 2024, the 8220 Gang has been using a new installer tool called k4spreader to distribute the Tsunami DDoS botnet and the PwnRig mining program. This malware exploits vulnerabilities in Apache Hadoop YARN, JBoss, and Oracle WebLogic Server to infiltrate targets. Written in cgo, k4spreader includes system persistence, self-updating capabilities, and the ability to disable firewalls, terminate rival botnets like kinsing, and print operational status.