The cryptocurrency miner group “8220 Gang” has been seen using a new crypter to carry out their cryptojacking operations. Crypters are a type of software that can encrypt, obfuscate, or other manipulate malware in an attempt to evade detection from security programs.
The new campaign works by exploiting vulnerable Oracle WebLogic servers to download a PowerShell script. This PowerShell script contains code to evade multiple Windows security features, such as AMSI and ETW, and contains the new crypter. This crypter, dubbed ScrubCrypt, is then saved into a file named “OracleUpdate.bat” and executed. This batch file contains a unique packing method that, when executed, decrypts the ScrubCrypt .NET payload and uses Reflective Injection to load it into memory. This payload performs multiple anti-sandboxing checks, establishes persistence via Registry Run keys, creates Windows Defender exclusions, and decodes the final payload via XOR. This final payload is then executed in memory.
In the case of this campaign, the final payload was an XMRig cryptocurrency miner that will mine cryptocurrency for the threat actors. However, ScrubCrypt has been listed on dark web forums for sale, meaning that there will likely be further campaigns using this crypter that deliver other types of malware.
It is highly recommended to make sure all systems are fully up-to-date on patching, particularly systems that are externally facing. It appears that the threat actors are exploiting an Oracle WebLogic vulnerability from 2017, dubbed CVE-2017-10271, to establish an initial foothold in the environment. Newer versions of Oracle WebLogic are no longer vulnerable to this, so upgrading to the latest version is recommended to help prevent this attack. Likewise, implementing and maintaining endpoint security controls, such as an EDR, is recommended to help prevent malicious activity from compromising the system. In cases where prevention does not occur, detection can be beneficial to alert analysts to a potential infection. The infection chain seen in this campaign exhibits a number of behaviors that can be considered suspicious. PowerShell creating unauthorized Windows Defender exclusions, web processes launching a PowerShell script, and abnormal VBS and BAT files being created in the root of the AppDataRoaming directory are all behaviors that can be potential signs of infection. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.