8220 Gang Exploits Oracle WebLogic Server Flaws for Cryptocurrency Mining
Security researchers have recently uncovered a crafty operation by the 8220 Gang that targets vulnerabilities in Oracle WebLogic Server to mine cryptocurrency. These flaws, which have been known for some time, are being weaponized by the gang to install malicious software and ultimately make a profit by mining digital currencies. Let’s dive into the details of how they pull off this sophisticated attack.
Fileless Techniques to Evade Detection
The 8220 Gang uses advanced techniques to ensure their malware goes undetected. According to Trend Micro researchers, the group employs fileless execution methods. This means the malware doesn’t leave traces on the disk, making it harder for traditional security software to spot it. By running the code directly in the computer’s memory using DLL reflective and process injection, the gang significantly reduces the chances of being caught. Essentially, it’s like trying to catch a thief who never leaves footprints.
Exploiting Known Vulnerabilities
The group, also known as Water Sigbin, has been exploiting particular vulnerabilities in Oracle WebLogic Server. These vulnerabilities (CVE-2017-3506, CVE-2017-10271, and CVE-2023-21839) have been their gateway into targeted systems. Once they gain access, they employ a multi-stage loading technique to introduce their cryptocurrency mining code.
How the Attack Unfolds
Once inside a system, the gang deploys a PowerShell script. This script drops a loader named “wireguard2-3.exe,” mimicking a legitimate VPN application. But instead of providing a secure connection, it covertly launches another program, “cvtres.exe,” directly in the computer’s memory using a DLL called “Zxpus.dll.”
This fake executable then starts another loader, “PureCrypter,” which sends hardware information back to a remote server and sets up scheduled tasks to run the cryptocurrency miner. It also cleverly excludes itself from Microsoft Defender Antivirus to avoid detection. The command-and-control (C2) server, controlled by the attackers, responds with encrypted instructions detailing how to set up the mining configuration. Using these instructions, the loader retrieves the miner from a domain controlled by the attackers and disguises it as “AddinProcess.exe,” making it appear as a legitimate Microsoft binary.
New Tools and Persistent Threats
Security experts from QiAnXin XLab have detected a new weapon in the 8220 Gang’s toolkit – an installer tool named k4spreader. This tool, observed in operation since at least February 2024, has been used to spread the Tsunami DDoS botnet and the PwnRig mining program. Written in cgo, k4spreader is designed for system persistence, self-updating, and executing other malicious software. It can even disable the system’s firewall, eliminate rival botnets like kinsing, and keep the operators informed of its status.
Mitigation: How to Protect Against These Attacks
Given the sophisticated nature of these attacks, here are a few steps that organizations can take to protect themselves:
- Regularly update and patch software, especially critical systems like Oracle WebLogic Server.
- Employ advanced security solutions that can detect fileless malware and unrecognized behavior.
- Conduct frequent security audits to identify and rectify vulnerabilities.
- Educate staff on recognizing potential threats and the importance of cybersecurity protocols.
- Implement network segmentation to limit the spread of malicious code.
Conclusion: Staying Vigilant
The activities of the 8220 Gang highlight the ever-evolving nature of cybersecurity threats. Their ability to exploit known vulnerabilities and use sophisticated techniques to avoid detection underscores the necessity for robust and proactive cybersecurity measures. By staying informed about these threats and following best practices, organizations can better defend themselves against such attacks and safeguard their digital assets.