8220 Gang Exploits Oracle WebLogic Server Flaws to Fuel Cryptocurrency Mining
### Financially Driven Attackers Leverage Known Vulnerabilities for Profitable Scheme
In the realm of cybersecurity, a group of malicious actors known as the 8220 Gang has gained notoriety for exploiting known security flaws in Oracle WebLogic Server for their own financial gains. These vulnerabilities serve as entry points for the gang to deploy cryptocurrency mining software, effectively stealing computing resources to generate virtual currency at the expense of unsuspecting victims.
Technical Deceptions and Payloads
The 8220 Gang employs a sophisticated approach to their attacks, relying on fileless execution techniques to evade detection. They use DLL reflective and process injection methods, allowing malicious code to operate solely in memory, bypassing traditional disk-based security measures.
Once initial access to the victim’s system is established, the gang deploys a PowerShell script that introduces a first-stage loader. This loader disguises itself as the legitimate WireGuard VPN application, but in reality, it launches a second binary in memory using a malicious DLL.
This injected executable then brings in the PureCrypter loader, which gathers hardware information and creates scheduled tasks to execute the cryptocurrency miner. To evade detection by Microsoft Defender Antivirus, the malicious files are excluded from its scanning process.
The final step involves communication with a command-and-control server. The server sends an encrypted message containing configuration details for the XMRig mining software. The loader retrieves and executes the miner, disguising it as a legitimate Microsoft binary named “AddinProcess.exe.”
Evolution of Tactics and Tools
The 8220 Gang is constantly evolving its tactics and tools to maximize their profits. Recent reports indicate that the group has developed a new installer tool called k4spreader, which has been in use since February 2024. This tool is used to deliver the Tsunami DDoS botnet and PwnRig mining program.
k4spreader targets vulnerabilities in Apache Hadoop YARN, JBoss, and Oracle WebLogic Server. It features self-updating capabilities, disables firewalls, and can terminate competing botnets.
Consequences and Precautions
The 8220 Gang’s activities have significant implications for businesses and organizations. The cryptocurrency mining operations can drain computing resources, slow down systems, and increase energy consumption.
To protect against these attacks, organizations are advised to apply security patches promptly, implement multi-factor authentication, and use reputable antivirus and anti-malware solutions. Regular system audits and vulnerability scans are also essential for detecting and mitigating potential threats.
Final Thoughts
The 8220 Gang is a reminder that cybersecurity threats are constantly evolving. Businesses must stay vigilant, adopt proactive security measures, and be prepared to respond to new threats as they emerge. By staying informed about the latest attack techniques and implementing comprehensive security strategies, organizations can protect their systems and data from malicious actors.