8220 Gang Exploits Oracle WebLogic Server Flaws for Cryptocurrency Mining

Security researchers have shed more light on the cryptocurrency mining operation conducted by the 8220 Gang by exploiting known security flaws in the Oracle WebLogic Server.

"The threat actor employs fileless execution techniques, using DLL reflective and process injection, allowing the malware code to run solely in memory and avoid disk-based detection mechanisms," Trend Micro researchers Ahmed Mohamed Ibrahim, Shubham Singh, and Sunil Bharti said in a new analysis published today.

The cybersecurity firm is tracking the financially motivated actor under the name Water Sigbin, which is known to weaponize vulnerabilities in Oracle WebLogic Server such as CVE-2017-3506, CVE- 2017-10271, and CVE-2023-21839 for initial access and drop the miner payload via multi-stage loading technique.

A successful foothold is followed by the deployment of PowerShell script that's responsible for dropping a first-stage loader ("wireguard2-3.exe") that mimics the legitimate WireGuard VPN application, but, in reality, launches another binary ("cvtres.exe") in memory by means of a DLL ("Zxpus.dll").

The injected executable serves as a conduit to load the PureCrypter loader ("Tixrgtluffu.dll") that, in turn, exfiltrates hardware information to a remote server and creates scheduled tasks to run the miner as well as excludes the malicious files from Microsoft Defender Antivirus.

In response, the command-and-control (C2) server responds with an encrypted message containing the XMRig configuration details, following which the loader retrieves and executes the miner from an attacker-controlled domain by masquerading it as "AddinProcess.exe," a legitimate Microsoft binary.

The development comes as the QiAnXin XLab team detailed a new installer tool used by the 8220 Gang called k4spreader since at least February 2024 to deliver the Tsunami DDoS botnet and the PwnRig mining program.

The malware, which is currently under development and has a shell version, has been leveraging security flaws such as Apache Hadoop YARN, JBoss, and Oracle WebLogic Server to infiltrate susceptible targets.

"k4spreader is written in cgo, including system persistence, downloading and updating itself, and releasing other malware for execution," the company said, adding it's also designed to disable the firewall, terminate rival botnets (e.g., kinsing), and printing operational status.