Cyber Security

8220 Gang Exploits Oracle WebLogic Server Flaws for Cryptocurrency Mining

Jun 28, 2024NewsroomMalware / Cryptocurrency

Security researchers have shed more light on the cryptocurrency mining operation conducted by the 8220 Gang by exploiting known security flaws in the Oracle WebLogic Server.

“The threat actor employs fileless execution techniques, using DLL reflective and process injection, allowing the malware code to run solely in memory and avoid disk-based detection mechanisms,” Trend Micro researchers Ahmed Mohamed Ibrahim, Shubham Singh, and Sunil Bharti said in a new analysis published today.

The cybersecurity firm is tracking the financially motivated actor under the name Water Sigbin, which is known to weaponize vulnerabilities in Oracle WebLogic Server such as CVE-2017-3506, CVE- 2017-10271, and CVE-2023-21839 for initial access and drop the miner payload via multi-stage loading technique.

A successful foothold is followed by the deployment of PowerShell script that’s responsible for dropping a first-stage loader (“wireguard2-3.exe”) that mimics the legitimate WireGuard VPN application, but, in reality, launches another binary (“cvtres.exe”) in memory by means of a DLL (“Zxpus.dll”).


The injected executable serves as a conduit to load the PureCrypter loader (“Tixrgtluffu.dll”) that, in turn, exfiltrates hardware information to a remote server and creates scheduled tasks to run the miner as well as excludes the malicious files from Microsoft Defender Antivirus.

In response, the command-and-control (C2) server responds with an encrypted message containing the XMRig configuration details, following which the loader retrieves and executes the miner from an attacker-controlled domain by masquerading it as “AddinProcess.exe,” a legitimate Microsoft binary.

Cryptocurrency Mining

The development comes as the QiAnXin XLab team detailed a new installer tool used by the 8220 Gang called k4spreader since at least February 2024 to deliver the Tsunami DDoS botnet and the PwnRig mining program.

The malware, which is currently under development and has a shell version, has been leveraging security flaws such as Apache Hadoop YARN, JBoss, and Oracle WebLogic Server to infiltrate susceptible targets.

“k4spreader is written in cgo, including system persistence, downloading and updating itself, and releasing other malware for execution,” the company said, adding it’s also designed to disable the firewall, terminate rival botnets (e.g., kinsing), and printing operational status.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Articles You May Like

Redmi Buds 5C with Hybrid ANC, 36-Hour Total Battery Life Launched in India: Specifications, Price
Samsung Galaxy M35, iQoo Z9 Lite, Honor 200, and More New Smartphones to Go on Sale During Amazon Prime Day 2024
Dark Web Malware Logs Expose 3,300 Users Linked to Child Abuse Sites
Apple Watch Series 10 to Sport Larger Screen; Cheaper Watch SE Model May Arrive With Plastic Body: Mark Gurman
Critical Unpatched Flaws Disclosed in Popular Gogs Open-Source Git Service