The infamous cryptojacking team tracked as 8220 Gang has been spotted weaponizing a 6-calendar year-old security flaw in Oracle WebLogic servers to ensnare susceptible occasions into a botnet and distribute cryptocurrency mining malware.
The flaw in issue is CVE-2017-3506 (CVSS rating: 7.4), which, when properly exploited, could let an unauthenticated attacker to execute arbitrary commands remotely.
“This enables attackers to attain unauthorized obtain to delicate data or compromise the full process,” Trend Micro researcher Sunil Bharti claimed in a report released this 7 days.

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
8220 Gang, initially documented by Cisco Talos in late 2018, is so named for its authentic use of port 8220 for command-and-management (C2) network communications.
“8220 Gang identifies targets through scanning for misconfigured or vulnerable hosts on the community internet,” SentinelOne observed last calendar year. “8220 Gang is recognized to make use of SSH brute drive attacks post-infection for the reasons of lateral motion within a compromised network.”
Previously this calendar year, Sydig thorough attacks mounted by the “reduced-skill” crimeware group in between November 2022 and January 2023 that purpose to breach susceptible Oracle WebLogic and Apache web servers and deploy a cryptocurrency miner.
It has also been noticed earning use of an off-the-shelf malware downloader acknowledged as PureCrypter as perfectly as a crypter codenamed ScrubCrypt to conceal the miner payload and evade detection by security software package.
In the most current attack chain documented by Craze Micro, the Oracle WebLogic Server vulnerability is leveraged to produce a PowerShell payload, which is then employed to generate one more obfuscated PowerShell script in memory.
This newly established PowerShell script disables Windows Antimalware Scan Interface (AMSI) detection and launches a Windows binary that subsequently reaches out to a distant server to retrieve a “meticulously obfuscated” payload.
Upcoming WEBINARLearn to Quit Ransomware with Authentic-Time Security
Sign up for our webinar and find out how to cease ransomware attacks in their tracks with genuine-time MFA and company account protection.
Preserve My Seat!
The intermediate DLL file, for its part, is configured to obtain a cryptocurrency miner from one of the 3 C2 servers – 179.43.155[.]202, function.letmaker[.]leading, and su-94.letmaker[.]prime – applying TCP ports 9090, 9091, or 9092.
Pattern Micro claimed modern attacks have also entailed the misuse of a legit Linux tool called lwp-download to preserve arbitrary files on the compromised host.
“lwp-obtain is a Linux utility current in a quantity of platforms by default, and 8220 Gang producing this a aspect of any malware regime can influence a quantity of providers even if it were being reused additional than when,” Bharti explained.
“Thinking of the threat actor’s inclination to reuse tools for different strategies and abuse legitimate resources as component of the arsenal, organizations’ security groups may well be challenged to obtain other detection and blocking methods to fend off attacks that abuse this utility.”
Discovered this write-up intriguing? Comply with us on Twitter and LinkedIn to read much more special content we article.
Some elements of this short article are sourced from:
thehackernews.com