Cybersecurity researchers uncovered a sophisticated attack campaign by the Water Sigbin (aka 8220 Gang) threat actor that exploited vulnerabilities in the Oracle WebLogic Server, notably CVE-2017-3506 and CVE-2023-21839, to deploy the XMRig cryptocurrency miner on compromised systems.
The attack begins with the threat actor exploiting the WebLogic vulnerabilities to execute a malicious PowerShell script on the victim machine.
This script decodes a Base64-encoded payload, which initiates a multi-stage loading process to deliver the PureCrypter loader and the XMRig miner.
Water Sigbin employs several advanced tactics to evade detection:
- All payloads are protected using .Net Reactor, a code protection software that obfuscates the code and incorporates anti-debugging measures
- The malware uses fileless execution techniques, such as DLL reflective injection and process hollowing, to run the malicious code solely in memory
- The XMRig miner masquerades as legitimate processes like cvtres.exe and AddinProcess.exe to avoid suspicion
-
Technical Analysis:
The attack involves multiple stages of payload decryption, decompression, and loading:
- Initial PowerShell script decodes Base64 payload
- Decoded payload (wireguard2-3.exe) decrypts and loads second stage DLL (Zxpus.dll) via reflective injection
- Zxpus.dll retrieves encrypted binary, decrypts it using AES, decompresses with GZip, and deserializes to reveal next loader configuration
- Loader creates cvtres.exe process and injects next stage payload
- cvtres.exe loads PureCrypter loader DLL (Tixrgtluffu.dll)
- PureCrypter registers with C2 server and downloads final XMRig miner payload.
The malware collects system information like processor ID, disk drive details, installed AV software, etc. using WMI queries. This data is encrypted and sent to the C2 server at 89.185.85[.]102:9091 for victim identification.
- The malware employs fileless execution techniques, using DLL reflective and process injection. This allows the malware code to run solely in memory and avoid disk-based detection mechanisms.
The payloads used during this campaign are protected using .NET Reactor, a .NET code protection software, to safeguard against reverse engineering. This protection obfuscates the code, making it difficult for defenders to understand and replicate.
Additionally, it incorporates anti-debugging techniques. The attack begins with the exploitation of CVE-2017-3506, which deploys a PowerShell script on the compromised machine.
This script decodes the first stage Base64-encoded payload and stores the decrypted response in a registry key under the subkey path
HKEY_CURRENT_USER\SOFTWARE\<Victim ID>.
According to Trend Micro report, The malware then downloads an encrypted file named plugin3.dlland decrypts it using the TripleDES algorithm and decompresses it with Gzip.The loader creates a new process named AddinProcess.exe to impersonate a legitimate process, using process injection to load the XMRig payload into memory and start the new process.
Mitigation:
Trend Micro advises organizations to implement security best practices like regular patching, robust access controls, security assessments, and employee awareness training to defend against such threats. Specific recommendations include:
- Keep systems and software updated with latest security patches
- Use strong authentication methods like multi-factor authentication
- Regularly scan for vulnerabilities
- Educate employees on security best practices
- Use endpoint detection and response solutions to detect malicious activity
By exploiting WebLogic vulnerabilities, using advanced evasion tactics, and deploying XMRig miners, the Water Sigbin threat actor has once again demonstrated its technical sophistication.
(Courtsey: www.cybersecuritynews.com)
