Cybersecurity researchers uncovered a sophisticated attack campaign by the Water Sigbin (aka 8220 Gang) threat actor that exploited vulnerabilities in the Oracle WebLogic Server, notably CVE-2017-3506 and CVE-2023-21839, to deploy the XMRig cryptocurrency miner on compromised systems.
The attack begins with the threat actor exploiting the WebLogic vulnerabilities to execute a malicious PowerShell script on the victim machine.
This script decodes a Base64-encoded payload, which initiates a multi-stage loading process to deliver the PureCrypter loader and the XMRig miner.
Water Sigbin employs several advanced tactics to evade detection:
- All payloads are protected using .Net Reactor, a code protection software that obfuscates the code and incorporates anti-debugging measures
- The malware uses fileless execution techniques, such as DLL reflective injection and process hollowing, to run the malicious code solely in memory
- The XMRig miner masquerades as legitimate processes like cvtres.exe and AddinProcess.exe to avoid suspicion
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo
Technical Analysis:
The attack involves multiple stages of payload decryption, decompression, and loading:
- Initial PowerShell script decodes Base64 payload
- Decoded payload (wireguard2-3.exe) decrypts and loads second stage DLL (Zxpus.dll) via reflective injection
- Zxpus.dll retrieves encrypted binary, decrypts it using AES, decompresses with GZip, and deserializes to reveal next loader configuration
- Loader creates cvtres.exe process and injects next stage payload
- cvtres.exe loads PureCrypter loader DLL (Tixrgtluffu.dll)
- PureCrypter registers with C2 server and downloads final XMRig miner payload.
The malware collects system information like processor ID, disk drive details, installed AV software, etc. using WMI queries. This data is encrypted and sent to the C2 server at 89.185.85[.]102:9091 for victim identification.
The malware employs fileless execution techniques, using DLL reflective and process injection. This allows the malware code to run solely in memory and avoid disk-based detection mechanisms.
The payloads used during this campaign are protected using .NET Reactor, a .NET code protection software, to safeguard against reverse engineering. This protection obfuscates the code, making it difficult for defenders to understand and replicate.
Additionally, it incorporates anti-debugging techniques. The attack begins with the exploitation of CVE-2017-3506, which deploys a PowerShell script on the compromised machine.
This script decodes the first stage Base64-encoded payload and stores the decrypted response in a registry key under the subkey path HKEY_CURRENT_USERSOFTWARE.
According to Trend Micro report, The malware then downloads an encrypted file named plugin3.dlland decrypts it using the TripleDES algorithm and decompresses it with Gzip.The loader creates a new process named AddinProcess.exe to impersonate a legitimate process, using process injection to load the XMRig payload into memory and start the new process.
The final payload is XMRig, a popular open-source mining software that supports multiple operating systems. It sends a mining login request to a mining pool URL “217.182.205[.]238:8080” and a wallet address “ZEPHYR2xf9vMHptpxP6VY4hHwTe94b2L5SGyp9Czg57U8DwRT3RQvDd37eyKxoFJUYJvP5ivBbiFCAMyaKWUe9aPZzuNoDXYTtj2Z.c4k”.
Indicators of Compromise
e6e69e85962a402a35cbc5b75571dab3739c0b2f3861ba5853dbd140bae4e4da
f4d11b36a844a68bf9718cf720984468583efa6664fc99966115a44b9a20aa33 - Ransom_Blocker.R002C0XFC24
0bf87b0e65713bf35c8cf54c9fa0015fa629624fd590cb4ba941cd7cdeda8050 - TROJ_FRS.VSNTFH24
b380b771c7f5c2c26750e281101873772e10c8c1a0d2a2ff0aff1912b569ab93 - TROJ_FRS.0NA104FH24
2e32c5cea00f8e4c808eae806b14585e8672385df7449d2f6575927537ce8884 - Trojan.MSIL.EXNET.VSNW11F24[URL/IP address]
89[.]169[.]52[.]37
http://87[.]121[.]105[.]232/bin.ps1
http://79[.]110[.]49[.]232/plugin3.dll
Mitigation:
Trend Micro advises organizations to implement security best practices like regular patching, robust access controls, security assessments, and employee awareness training to defend against such threats. Specific recommendations include:
- Keep systems and software updated with latest security patches
- Use strong authentication methods like multi-factor authentication
- Regularly scan for vulnerabilities
- Educate employees on security best practices
- Use endpoint detection and response solutions to detect malicious activity
By exploiting WebLogic vulnerabilities, using advanced evasion tactics, and deploying XMRig miners, the Water Sigbin threat actor has once again demonstrated its technical sophistication.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files