Threat Research

8220 Gang Evolves With New Strategies

Securonix

Trend Micro reports that the 8220 Gang has evolved its tactics, including Linux lwp-download exploits and CVE-2017-3506 in Oracle WebLogic to deploy cryptocurrency miners across Linux and Windows. The group uses PowerShell-based droppers, AMSI bypass techniques, and new C2 infrastructure (e.g., work.letmaker.top and su-94.letmaker.top) while reusing tools like Tsunami, XMRIG, masscan, and spirit. #8220Gang #CVE-2017-3506

Keypoints

  • 8220 Gang is evolving its campaigns with new tools and targets, expanding from Linux to Windows while continuing to mine cryptocurrency.
  • Entry point on WebLogic is via CVE-2017-3506 using the HTTP URI “wls-wsat/CoordinatorPortType”.
  • The attackers deliver a PowerShell-based dropper that downloads and executes additional scripts from remote URLs.
  • bypass.ps1 decodes Base64-encoded content to run an in-memory PowerShell script and includes AMSI bypass techniques.
  • The dropper writes a malicious binary to Windows Temp, then uses MSBuild (MsBuild) to execute it and later connects to C2 servers to download a miner.
  • IOCs include a bypass.ps1 SHA256, specific URLs/IPs/domains, and known C2 nodes such as work.letmaker.top and su-94.letmaker.top.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – “Attackers exploited the HTTP URI ‘wls-wsat/CoordinatorPortType’ as an entry point to target an Oracle WebLogic server leveraging the CVE-2017-3506 vulnerability.”
  • [T1059.001] PowerShell – “The decoded command downloads and executes a PowerShell script from http[:]//185[.]17[.]0[.]199/bypass.ps1.”
  • [T1027] Obfuscated/Compressed Files and Information – “The PowerShell script decodes multiple Base64-encoded byte arrays to create another obfuscated PowerShell script in memory and executes it using ‘iex’ (Invoke-Expression) commandlet.”
  • [T1562.001] Impair Defenses – “It disables the AMSI detection. The code sets the value of “amsiInitFailed” field from class to “True” to achieve AMSI unhooking…”
  • [T1218.006] Signed Binary Proxy Execution: MsBuild – “The newly created .dll file is an encrypted resource file that is injected into the MS Build process.”
  • [T1105] Ingress Tool Transfer – “The file ‘Winscp-setup-1867.exe’ is responsible for downloading the file ‘Ebvjmba.dat’ by continuously sending a GET request to its server http://79.137.203.156/Ebvjmba.dat.”
  • [T1071.001] Web Protocols – “communicates with one of the three C&Cs using TCP ports 9090, 9091, or 9092 to download a cryptocurrency miner.”

Indicators of Compromise

  • [SHA256] bypass.ps1 – b5fa13d8a03e9a38995e1a087f873e9f2e5d53d8ac713ffb951f62084c810a90
  • [File name] bypass.ps1 – bypass.ps1
  • [URL] http://79.137.203.156/Ebvjmba.dat, http://185.17.0.199/bypass.ps1 – Example URLs used for dropper and script retrieval
  • [IP] 79.137.203.156, 185.17.0.199 – Example IPs hosting dropper/script resources
  • [Domain] work.letmaker.top, su-94.letmaker.top – C2 domains

 

MITRE ATT&CK

Read more: https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint