Cryptocurrency Mining Operation Exploiting Oracle WebLogic Server Flaws: A Threat Analysis & Overview

In a recent analysis published by cybersecurity firm Trend Micro, it has been revealed that the financially motivated threat actor known as Water Sigbin, a part of the infamous 8220 Gang, has been exploiting vulnerabilities in Oracle WebLogic Server for conducting a cryptocurrency mining operation. This operation involves the use of fileless execution techniques to evade detection mechanisms.

The researchers identified that the threat actor leverages vulnerabilities such as CVE-2017-3506, CVE- 2017-10271, and CVE-2023-21839 in Oracle WebLogic Server to gain initial access and deploy the miner payload using a multi-stage loading technique. The malware deploys a PowerShell script to drop a first-stage loader disguised as a legitimate WireGuard VPN application, which then launches another binary in memory with the help of a DLL.

Once the foothold is established, a PureCrypter loader is loaded to exfiltrate hardware information to a remote server and run the miner through scheduled tasks while bypassing Microsoft Defender Antivirus. The command-and-control (C2) server sends encrypted messages with XMRig configuration details, leading to the execution of the miner disguised as a legitimate Microsoft binary.

Additionally, the QiAnXin XLab team has identified a new installer tool called k4spreader used by the 8220 Gang to distribute the Tsunami DDoS botnet and the PwnRig mining program through vulnerabilities in Apache Hadoop YARN, JBoss, and Oracle WebLogic Server.

This revelation emphasizes the increasing sophistication and brazenness of cybercriminals in exploiting vulnerabilities for financial gain. It serves as a reminder for organizations to stay vigilant and update their security measures to protect against such threats.