June 28, 2024 at 01:26AM Water Sigbin utilizes DLL reflective and process injection to deploy the PureCrypter loader and XMRIG crypto miner, exploiting vulnerabilities in Oracle WebLogic servers. Fileless execution via PowerShell scripts enables evasion of disk-based detection, while .Net Reactor protection ensures code obfuscation. The threat actor employs multiple advanced tactics, emphasizing the need … Read more
June 4, 2024 at 08:39AM CISA added an old Oracle WebLogic vulnerability, CVE-2017-3506, to its list of known exploited vulnerabilities. Chinese hackers have been using it to deploy cryptocurrency miners. Trend Micro reported that a China-based threat group, Water Sigbin, continues to exploit this vulnerability and another recent one. Their advanced techniques make detection and … Read more
May 30, 2024 at 01:10AM Summary: Water Sigbin, also known as the 8220 Gang, exploited Oracle WebLogic vulnerabilities to deploy a cryptocurrency miner via a PowerShell script. The group used obfuscation techniques to conceal its activities, including hexadecimal URL encoding and fileless execution. Organizations are advised to prioritize patch management, network segmentation, security audits, employee … Read more