Cryptocurrency Mining Exploitation: The 8220 Gang and Oracle WebLogic Server Vulnerabilities

June 28, 2024

Security experts have uncovered more details about the cryptocurrency mining activities of the 8220 Gang, who are exploiting known vulnerabilities in the Oracle WebLogic Server. According to researchers Ahmed Mohamed Ibrahim, Shubham Singh, and Sunil Bharti, the group uses fileless execution techniques and DLL reflective and process injection, allowing the malware to run solely in memory and avoid disk-based detection mechanisms.

The group, tracked by cybersecurity firm Trend Micro as Water Sigbin, exploits vulnerabilities like CVE-2017-3506, CVE- 2017-10271, and CVE-2023-21839 in Oracle WebLogic Server for initial access. They then deploy a multi-stage loading technique to drop the miner payload. After gaining access, they deploy a PowerShell script responsible for dropping a first-stage loader ("wireguard2-3.exe") that mimics the legitimate WireGuard VPN application.

This loader launches another binary ("cvtres.exe") in memory by means of a DLL ("Zxpus.dll"). The injected executable serves as a conduit to load the PureCrypter loader ("Tixrgtluffu.dll") which exfiltrates hardware information to a remote server and creates scheduled tasks to run the miner, while excluding the malicious files from Microsoft Defender Antivirus.

In response, the command-and-control (C2) server responds with an encrypted message containing the XMRig configuration details. The loader then retrieves and executes the miner from an attacker-controlled domain, masquerading it as "AddinProcess.exe," a legitimate Microsoft binary.

Meanwhile, the QiAnXin XLab team has detailed a new installer tool used by the 8220 Gang, known as k4spreader, which has been in use since at least February 2024. This tool delivers the Tsunami DDoS botnet and the PwnRig mining program. The malware, currently under development, leverages security flaws in Apache Hadoop YARN, JBoss, and Oracle WebLogic Server to infiltrate susceptible targets.

According to the company, k4spreader is written in cgo, and includes system persistence, downloading and updating itself, and releasing other malware for execution. It is also designed to disable the firewall, terminate rival botnets (e.g., kinsing), and print operational status.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.