Multiple Oracle WebLogic Servers have been targeted by the threat group 8220 Gang, also known as Water Sigbin, in a cryptocurrency operation. The servers were found to have vulnerabilities tracked as CVE-2017-3506, CVE-2017-10271, and CVE-2023-21839.
After gaining access to the WebLogic Servers, the attackers distributed a PowerShell script that launched a WireGuard VPN app-spoofing initial stage loader. This loader helped facilitate the delivery of the PureCrypter loader, as discovered in an analysis by Trend Micro.
The PureCrypter loader allows for hardware data exfiltration, scheduled task creation, and the exclusion of files from Microsoft Defender Antivirus. Eventually, the XMRig cryptocurrency miner is launched from the attackers’ command-and-control server, according to researchers.
A report from the QiAnXin XLab team detailed how the 8220 Gang distributed the Tsunami distributed denial-of-service botnet and PwnRig cryptominer using the k4spreader installer tool. This tool, written in cgo, includes features such as system persistence, self-updating, and malware execution. QiAnXin XLab researchers highlighted the capabilities of the k4spreader tool in distributing malicious software.