Cybersecurity researchers recently uncovered a sophisticated attack campaign orchestrated by the Water Sigbin threat actor, which is also known as the 8220 Gang. The attackers exploited several vulnerabilities in Oracle WebLogic Server, notably CVE-2017-3506 and CVE-2023-21839, to deploy the XMRig cryptocurrency miner on compromised systems. This attack stands out due to its multi-stage process, advanced evasion tactics, and intricate use of various payloads and loaders. The Water Sigbin group leverages a series of techniques to penetrate defenses, evade detection, and ensure successful crypto mining. Here is a step-by-step breakdown of how these hackers execute their well-coordinated attack.
Initial PowerShell Script Execution
The attack commences with the exploitation of vulnerabilities in the Oracle WebLogic Server. The Water Sigbin threat actor targets these vulnerabilities to run a malicious PowerShell script on the target machine. This initial step is crucial as it sets the stage for the subsequent processes to unfold. By exploiting these WebLogic vulnerabilities, the attackers can insert the malicious script into the victim’s system. This script is designed to execute commands that will prepare the system for further stages of the attack. It’s worth noting that this phase is entirely stealthy, making it hard for traditional antivirus and firewall defenses to detect and block the malicious script.
The malicious PowerShell script primarily functions to prepare the target system for subsequent injections and payload deliveries. By running this script, the attackers can ensure that necessary ports and services are available and unencumbered by local security protocols. The script is adept at maneuvering within the system’s architecture, making it challenging for defenders to detect and neutralize at this initial stage. With the victim’s system compromised, the PowerShell script proceeds to decode a Base64-encoded payload, an essential step as it transitions the attack to its next phase.
Base64 Payload Decoding
Following the successful execution of the malicious PowerShell script, the next phase involves decoding a Base64-encoded payload. The encoding is a method used to obscure the script from basic detection mechanisms, as Base64 is often not flagged as suspicious by security software. The encoded payload holds the key to the subsequent attack stages and needs to be decoded to reveal the more intrusive components of the malware. By decoding this payload, the threat actors can lay the groundwork for more sophisticated exploitation techniques.
Decoding the Base64 payload is an integral step to transitioning from the initial attack vector to the more aggressive stages of the attack. This decoded payload is crucial as it contains the executable (wireguard2-3.exe) that will decrypt and load a second-stage dynamic link library (DLL). The decoded scripts and executables work seamlessly to maintain their activities under the radar, avoiding detection and ensuring the smooth continuation of the attack. The decoding process itself is meticulously designed to prevent abrupt changes in the system that could alert security measures. Once the Base64 payload is decoded, the attack smoothly transitions to the next stage.
Secondary Stage Process Loading
The most pivotal part of the attack lies in the secondary stage process loading. Once the Base64 payload is decoded, the resulting executable named wireguard2-3.exe comes into play. This executable decrypts and loads a second-stage DLL named Zxpus.dll through a technique referred to as reflective injection. This technique allows the DLL to be loaded without being written to the disk, thus evading endpoint detection and response (EDR) tools designed to catch such activities. Reflective DLL injection is a form of manual mapping that loads the DLL into memory directly, making it harder for anti-malware solutions to detect.
This decryption and reflective injection stage signifies a crucial attack pivot, allowing the malware to deepen its foothold within the compromised system. The Zxpus.dll contains the necessary code to perpetuate the attack through further decryption and decompression stages. During this phase, the attackers take full advantage of the DLL’s capabilities to execute commands in memory, keeping operations fileless. The use of reflective injection further compounds the difficulty for security tools to intercept the attack, enhancing the attackers’ ability to operate undetected within the system.
DLL Decryption and Decompression
Zxpus.dll undertakes multiple roles upon successful injection. It retrieves an encrypted binary from within its code, employing the Advanced Encryption Standard (AES) to decrypt said binary. AES is a widely used encryption standard favored for its robust security and efficiency. The decompressed data is then deserialized to extract the next loader configuration, setting the stage for further payload introductions. The use of these sophisticated cryptographic measures indicates a high degree of planning and technical skill among the Water Sigbin attackers. This stage ensures that the next components can be safely introduced into the system, continuing to evade detection.
Decompressing the encrypted layers is essential for unveiling subsequent payloads, ensuring that the attack remains modular and adaptable to various defenses that may be encountered. Using GZip, a common data compression tool, the decrypted binary can be decompressed, reducing its data footprint and avoiding resource consumption spikes that could raise alarms. Upon decompression, dynamic application loading techniques are employed to deserialize configuration scripts, which contain instructions for further propagation of the malware. By coupling AES and GZip, the attackers ensure that each stage of the attack remains lightweight yet potent, reinforcing their stealthy approach.
Legitimate Process Creation
In this attack stage, the loader creates a process named cvtres.exe, masquerading as a legitimate system process to inject the next payload stage. This technique is known as process hollowing, where a genuine process is put into a suspended state before its memory is replaced with malicious code. The use of cvtres.exe—a normally benign process associated with Visual Studio—ensures minimum suspicion and thus contributes significantly to the attackers’ evasion strategies. By injecting malicious code into this process, the attackers exploit the trust inherently placed in established system processes, avoiding security alerts.
Creating a seemingly legitimate process is a key tactic employed by the attackers to mask harmful activities under the guise of an expected system operation. It ensures that system monitoring tools do not flag the activity as malicious. The choice of processes like cvtres.exe, which are less likely to be scrutinized, allows the malware to continue its operations undetected. The newly created process spearheads the injection of subsequent payloads, thus perpetuating the attack and allowing the deployed components to function as intended. With cvtres.exe now interjected, the stage is set for deploying the PureCrypter loader.
PureCrypter Loader Deployment
The next step involves the loading of the PureCrypter loader DLL, identified as Tixrgtluffu.dll, into the cvtres.exe process. The PureCrypter loader is instrumental in decrypting and loading additional payloads while maintaining stealth. This loader is also responsible for establishing communication with the Command and Control (C2) server, from where it can download the final XMRig miner payload. The PureCrypter loader ensures that all subsequent payloads are appropriately obfuscated and protected against reverse engineering attempts. Through encrypted communication channels, it securely retrieves the necessary components for the final payload.
Deploying the PureCrypter loader marks a crucial advancement in the attack sequence, laying the groundwork for the eventual execution of the XMRig cryptocurrency miner. By embedding itself within the cvtres.exe process, the PureCrypter ensures that subsequent activities remain concealed and uninterrupted. This loader’s advanced capabilities, including anti-debugging and code obfuscation, complicate analysis efforts and thwart attempts at disassembling the code. By maintaining consistent communication with the C2 server, the loader can seamlessly introduce the final payload into the victim’s system, securing the completion of the attack’s objectives.
Command and Control Server Registration
Cybersecurity researchers have recently identified a complex attack campaign led by the Water Sigbin threat actor, also referred to as the 8220 Gang. This group has exploited multiple vulnerabilities in Oracle WebLogic Server, including CVE-2017-3506 and CVE-2023-21839, to install the XMRig cryptocurrency miner on compromised systems. The attack is notable for its multi-stage process, sophisticated evasion techniques, and intricate use of different payloads and loaders. The Water Sigbin group employs a series of tactics to breach defenses, avoid detection, and achieve successful cryptocurrency mining. The initial stages of the attack involve scanning for vulnerable WebLogic servers. Once a target is found, the attackers exploit these vulnerabilities to gain access to the system. Following this, they deploy various payloads and loaders to establish a foothold. The final stage involves installing the XMRig miner and maintaining persistence within the infrastructure. This well-coordinated attack demonstrates the increasing ingenuity and resourcefulness of cybercriminal groups like the 8220 Gang.