The cryptocurrency miner group “8220 Gang” has been seen using a new crypter to carry out their cryptojacking operations. Crypters are a type of software that can encrypt, obfuscate, or other manipulate malware in an attempt to evade detection from security programs.
The new campaign works by exploiting vulnerable Oracle WebLogic servers to download a PowerShell script. This PowerShell script contains code to evade multiple Windows security features, such as AMSI and ETW, and contains the new crypter. This crypter, dubbed ScrubCrypt, is then saved into a file named “OracleUpdate.bat” and executed. This batch file contains a unique packing method that, when executed, decrypts the ScrubCrypt .NET payload and uses Reflective Injection to load it into memory. This payload performs multiple anti-sandboxing checks, establishes persistence via Registry Run keys, creates Windows Defender exclusions, and decodes the final payload via XOR. This final payload is then executed in memory.
In the case of this campaign, the final payload was an XMRig cryptocurrency miner that will mine cryptocurrency for the threat actors. However, ScrubCrypt has been listed on dark web forums for sale, meaning that there will likely be further campaigns using this crypter that deliver other types of malware.