Threat Actors Exploit Known Oracle WebLogic Server Flaws for Crypto Mining

Written by Lore Apostol
Published on July 1, 2024

The 8220 Gang threat actor, which Trend Micro security researchers track as Water Sigbin, conducts a cryptocurrency mining operation exploiting known security flaws in the Oracle WebLogic Server, such as CVE-2017-3506, CVE- 2017-10271, and CVE-2023-21839 for initial access, and deploys cryptocurrency miners via PowerShell scripts.

Trend Micro researchers say the cybercriminal group manages to sidestep disk-based detection mechanisms by employing execution techniques such as DLL reflective and process injection to run the malware code solely in memory. 

The 8220 Gang employs a multi-stage loading technique to deliver the PureCrypter loader and XMRIG crypto miner while protecting all payloads with .Net Reactor, a .NET code protection software against reverse engineering. 

Exploiting CVE-2017-3506, the threat actor deploys a PowerShell script on the compromised machine and uses reflective DLL injection for in-memory execution to enhance the malware’s ability to evade detection. 

8220 Gang Attack Diagram
Image Source: Trend Micro

It drops a first-stage loader impersonating the legitimate VPN application WireGuard ("wireguard2-3.exe"). This is a trojan loader that executes a second-stage payload in memory, which executes another binary that resolves to a DLL trojan loader.

The DLL retrieves a binary named Vewijfiv that it decrypts via AES encryption with a specified key and IV and decompresses with GZip. Then, the loader creates a new process that mimics a legitimate one in “C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe” to load the next stage payload into memory.

Infected DLL File
Image Source: Trend Micro

The PureCrypter loader version V6.0.7D is the final DLL payload, which connects the victim’s machine with the malicious command-and-control (C2) server and downloads the final payload, which includes the XMRig cryptocurrency miner.

The malware can create a scheduled task under the Microsoft\Windows\Name folder with the highest privilege configured to run 15 seconds after creation followed by random intervals of approximately 6 minutes, then upon system startup or user login.

It also replicates itself as a hidden file named IsSynchronized.exe under the hidden path “C:\Users\$USERNAME$\AppData\Roaming\Name\” and can create a hidden scheduled task with a random name executing a PowerShell command to add malware files and processes to the Windows Defender's exclusion list.

Cybersecurity experts recommend using strong authentication methods such as multi-factor authentication (MFA) and regularly scaning networks and systems for vulnerabilities.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: