Security researchers have shed more light on the cryptocurrency mining operation conducted by the 8220 Gang by exploiting known security flaws in the Oracle WebLogic Server. "The threat actor employs fileless execution techniques, using DLL reflective and process injection, allowing the malware code to run solely in memory and avoid disk-based detection mechanisms," Trend Micro researchers Ahmed Mohamed Ibrahim, Shubham Singh, and Sunil Bharti said in a new analysis published today. The cybersecurity firm is tracking the financially motivated actor under the name Water Sigbin, which is known to weaponize vulnerabilities in Oracle WebLogic Server such as CVE-2017-3506, CVE- 2017-10271, and CVE-2023-21839 for initial access and drop the miner payload via multi-stage loading technique. A successful foothold is followed by the deployment of PowerShell script that's responsible for dropping a first-stage loader ("wireguard2-3.exe") that mimics the legitimate WireGuard VPN application, but, in reality, launches another binary ("cvtres.exe") in memory by means of a DLL ("Zxpus.dll"). The injected executable serves as a conduit to load the PureCrypter loader ("Tixrgtluffu.dll") that, in turn, exfiltrates hardware information to a remote server and creates scheduled tasks to run the miner as well as excludes the malicious files from Microsoft Defender Antivirus. In response, the command-and-control (C2) server responds with an encrypted message containing the XMRig configuration…Read More