June 28, 2024 at 08:10AM
Security researchers have uncovered details about the 8220 Gang’s cryptocurrency mining operation, exploiting known vulnerabilities in Oracle WebLogic Server. The threat actor uses fileless execution techniques and a multi-stage loading technique, including dropping a miner payload via PowerShell script. Additionally, a new installer tool called k4spreader has been detailed, used by the gang to deliver malware.
Key takeaways from the meeting notes on “Newsroom Malware / Cryptocurrency” include:
– The 8220 Gang is conducting a cryptocurrency mining operation by exploiting security flaws in the Oracle WebLogic Server.
– Trend Micro researchers have uncovered the use of fileless execution techniques and DLL reflective and process injection by the threat actor to evade detection mechanisms and drop the miner payload.
– The financially motivated actor, known as Water Sigbin, leverages vulnerabilities in Oracle WebLogic Server to establish a foothold and deploy a multi-stage loading technique for the miner payload.
– The threat actor employs a PowerShell script and creates scheduled tasks to run the miner, exfiltrates hardware information, and communicates with a command-and-control server to retrieve and execute the miner.
– The 8220 Gang has been utilizing a new installer tool called k4spreader to deliver the Tsunami DDoS botnet and the PwnRig mining program, exploiting flaws in Apache Hadoop YARN, JBoss, and Oracle WebLogic Server for infiltration.
Please let me know if you need further analysis or summary of the meeting notes.