Security researchers have shed more light on the cryptocurrency mining operation conducted by the 8220 Gang by exploiting known security flaws in the Oracle WebLogic Server.
安全研究人员通过利用Oracle WebLogic Server中已知的安全漏洞,揭示了由8220帮派进行的加密货币挖矿操作。
"The threat actor employs fileless execution techniques, using DLL reflective and process injection, allowing the malware code to run solely in memory and avoid disk-based detection mechanisms," Trend Micro researchers Ahmed Mohamed Ibrahim, Shubham Singh, and Sunil Bharti said in a new analysis published today.
“威胁行为者采用无文件执行技术,使用DLL反射和进程注入,使恶意软件代码仅在内存中运行,并避免基于磁盘的检测机制,”赛门铁克的研究人员Ahmed Mohamed Ibrahim、Shubham Singh和Sunil Bharti在今天发布的新分析中说。
The cybersecurity firm is tracking the financially motivated actor under the name Water Sigbin, which is known to weaponize vulnerabilities in Oracle WebLogic Server such as CVE-2017-3506, CVE- 2017-10271, and CVE-2023-21839 for initial access and drop the miner payload via multi-stage loading technique.
网络安全公司正在跟踪一个名为Water Sigbin的具有财务动机的行为者,该行为者被认为利用Oracle WebLogic Server中的漏洞,如CVE-2017-3506、CVE-2017-10271和CVE-2023-21839,进行初始访问并通过多阶段加载技术放置挖矿负载。
A successful foothold is followed by the deployment of PowerShell script that's responsible for dropping a first-stage loader ("wireguard2-3.exe") that mimics the legitimate WireGuard VPN application, but, in reality, launches another binary ("cvtres.exe") in memory by means of a DLL ("Zxpus.dll").
成功的立足点后,部署PowerShell脚本,负责放置一个模拟合法WireGuard VPN应用程序的第一阶段加载程序(“wireguard2-3.exe”),实际上,通过DLL(“Zxpus.dll”)在内存中启动另一个二进制文件(“cvtres.exe”)。
The injected executable serves as a conduit to load the PureCrypter loader ("Tixrgtluffu.dll") that, in turn, exfiltrates hardware information to a remote server and creates scheduled tasks to run the miner as well as excludes the malicious files from Microsoft Defender Antivirus.
注入的可执行文件充当一个通道,用于加载PureCrypter加载程序(“Tixrgtluffu.dll”),然后将硬件信息外发到远程服务器,并创建定期任务来运行挖矿程序,并排除恶意文件不受Microsoft Defender防病毒程序的影响。
In response, the command-and-control (C2) server responds with an encrypted message containing the XMRig configuration details, following which the loader retrieves and executes the miner from an attacker-controlled domain by masquerading it as "AddinProcess.exe," a legitimate Microsoft binary.
作为回应,命令和控制(C2)服务器响应包含XMRig配置详细信息的加密消息,随后加载程序从攻击者控制的域中检索并执行挖矿程序,将其伪装为“AddinProcess.exe”,一个合法的微软二进制文件。
The development comes as the QiAnXin XLab team detailed a new installer tool used by the 8220 Gang called k4spreader since at least February 2024 to deliver the Tsunami DDoS botnet and the PwnRig mining program.
这一进展是 QiAnXin XLab 团队详细介绍了8220帮派自2024年2月起使用的一种名为 k4spreader 的新型安装程序工具。该工具用于传播 Tsunami DDoS僵尸网络和PwnRig 挖矿程序。
The malware, which is currently under development and has a shell version, has been leveraging security flaws such as Apache Hadoop YARN, JBoss, and Oracle WebLogic Server to infiltrate susceptible targets.
这种恶意软件目前正在开发中,有一个shell版本,一直在利用安全漏洞,如Apache Hadoop YARN、JBoss和Oracle WebLogic Server,渗透易受攻击目标。
"k4spreader is written in cgo, including system persistence, downloading and updating itself, and releasing other malware for execution," the company said, adding it's also designed to disable the firewall, terminate rival botnets (e.g., kinsing), and printing operational status.“
“k4spreader是用cgo编写的,包括系统持久性、下载和更新自身,并释放其他恶意软件以执行,”该公司说,并补充说,它还被设计为禁用防火墙、终止竞争对手的僵尸网络(例如kinsing)和打印操作状态。
参考资料
[1]https://thehackernews.com/2024/06/8220-gang-exploits-oracle-weblogic.html
原文始发于微信公众号(知机安全):黑客利用Oracle WebLogic服务器漏洞挖掘加密货币
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论