A notorious cryptocurrency miner group called the 8220 Gang has been observed using a new crypter called ScrubCrypt to perform cryptojacking operations.
According to Fortinet FortiGuard Labs, the attack chain begins by successfully exploiting a susceptible Oracle WebLogic server and downloading a PowerShell script containing ScrubCrypt.
A crypter is a type of software that can encrypt, obfuscate, and manipulate malware in order to avoid detection by security programs.
ScrubCrypt, touted for sale by its creators, has the ability to bypass Windows Defender protections and check for the presence of debugging and virtual machine environments.
“ScrubCrypt is a crypter used to protect applications with its own BAT packing method,” said security researcher Cara Lin in a technical report. She says “The encrypted data at the top can be split into her four parts using backslashes ‘\’.”
In its final stage, the crypter decodes the miner payload and loads it into memory, thereby starting the miner process.
This threat actor has a track record of compromising targets using publicly disclosed vulnerabilities, and our latest findings are no exception.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
This development is also a detailed attack on Sydig carried out by the 8220 gang between November 2022 and January 2023 to compromise vulnerable Oracle WebLogic and Apache web servers to drop the XMRig miner. occurs.
In late January 2023, Fortinet also launched a cryptojacking attack leveraging a Microsoft Excel document containing a malicious VBA macro configured to download a Monero (XMR) mining executable on the infected system. discovered.
