The 8220 gang, known for cryptojacking attacks and exploiting system vulnerabilities, is back to targeting Oracle Weblogic server vulnerabilities to carry out mining attacks. However, this time it is using a new tool called ScrubCrypt that allows it to dodge debugging environments and bypass security systems.

What is 8220 Gang up to?

FortiGuard Labs noted that between January and February, 8220 Gang has been carrying out a new attack campaign using the same infrastructure that it used for its past attacks.
  • To get entry into the targeted machine, the adversary specifically attacks Oracle Weblogic server-related HTTP URI (wls-wsat/CoordinatorPortType).
  • The attackers download a PowerShell script (bypass[.]ps1), in which the code and strings are encoded to evade detection by anti-malware solutions.  
  • This script contains an encoded file, saved on the infected machine as OracleUpdate[.]bat to masquerade as a system file and, thus, evade detection. This in turn loads the ScrubCrypt.

ScrubCrypt’s role in the campaign

ScrubCrypt crypter, as advertised by its developer, encrypts and modifies applications so that it can bypass all security programs, such as Windows Defender, by modifying its settings.
  • On the targeted machine, it detects the presence of debugging software and virtual machines and checks the OS version, allowing attackers to decide if they want to proceed with the attack. 
  • It establishes persistence by making edits to the registry entries. 
  • Finally, it decrypts the payload, a file named miner, loads it in memory, and launches the miner process to begin mining Monero.
  • The crypto wallet address used for the mining and the IP addresses used in this campaign has been used by the 8220 Gang in previous attacks.

Ending notes

The use of ScrubCrypt and exploitation of the Oracle Weblogic server in the recent campaign indicates that the 8220 Gang is actively attempting to avoid detections and sharpen its attack tactics. Organizations are recommended to follow a standard patch management program and reliable anti-malware solution. Additionally, they can leverage threat intelligence platforms to track IOCs and understand the attack patterns of the attackers.
Cyware Publisher