Examining Water Sigbin’s Infection Routine Leading to an XMRig Cryptominer

MITRE Techniques

• [T1190] Exploit Public-Facing Application – The attacker exploited Oracle WebLogic vulnerabilities (CVE-2017-3506 and CVE-2023-21839) to deploy cryptocurrency miners via PowerShell scripts. ‘Water Sigbin continues to exploit CVE-2017-3506 and CVE-2023-21839 to deploy cryptocurrency miners via a PowerShell script.’
• [T1059.001] PowerShell – The PowerShell script decodes and executes the first-stage payload after exploitation. ‘Upon successful exploitation of CVE-2017-3506, Water Sigbin deploys a PowerShell script on the compromised machine.’
• [T1047] Windows Management Instrumentation – The malware collects system information using WMI queries. ‘collects system information, which includes usernames, installed antivirus software, and CPU information, using Windows Management Instrumentation (WMI) queries.’
• [T1036.005] Masquerading: Match Legitimate Name or Location – The malware impersonates the WireGuard VPN application to appear legitimate. ‘The malware impersonates the legitimate VPN application WireGuard to deceive users and AV engines.’
• [T1140] Deobfuscate/Decode Files or Information – Obfuscation and protection hinder reverse engineering of payloads. ‘This protection obfuscates the code, making it difficult for defenders to understand and replicate.’
• [T1112] Modify Registry – The malware stores configuration data in registry keys for persistence and configuration. ‘The malware stores the decrypted response in a registry key under the subkey path HKEY_CURRENT_USERSOFTWARE.’
• [T1562.001] Impair Defenses: Disable or Modify Tools – It adds malware-related files/processes to Windows Defender exclusions. ‘Add-MpPreference -ExclusionPath … -Force; Add-MpPreference -ExclusionProcess …’
• [T1620] Reflective Code Loading – In-memory loading via reflective DLL injection to avoid touching disk. ‘Reflective DLL injection for in-memory execution.’
• [T1055.012] Process Injection: Process Hollowing – The loader injects payload into memory and starts a new process. ‘process injection to load the next stage payload into memory and start the new process.’
• [T1053.005] Scheduled Task/Job: Scheduled Task – The malware creates a high-privilege scheduled task for persistence. ‘The malware can create a scheduled task with the highest privilege that runs 15 seconds after creation and then runs at random intervals…’
• [T1057] Process Discovery – It creates and uses new processes to host payloads (e.g., cvtres.exe). ‘The loader creates a new process named cvtres.exe in the path …’
• [T1012] Query Registry – The malware reads/writes registry keys as part of its configuration and persistence. ‘registry key under the subkey path HKEY_CURRENT_USERSOFTWARE<Victim ID>’
• [T1518.001] Software Discovery: Security Software Discovery – It retrieves installed antivirus software to tailor defenses. ‘retrieves installed AV using WMI query’
• [T1082] System Information Discovery – It collects hardware and system information to generate a victim ID. ‘collects hardware information… [and] a format … [Processor ID]-…’
• [T1071] Application Layer Protocol – C2 communications occur over standard application-layer protocols with an encrypted channel. ‘C&C server at 89.185.85.102:9091’ and ‘encrypted response’ to fetch XMRig configuration.’
• [T1001] Data Obfuscation – Data is encrypted/decrypted and compressed to evade detection. ‘AES encryption and gzip decompression’ and ‘TripleDES symmetric-key encryption’
• [T1571] Non-Standard Port – C2 and mining communications use non-standard port 9091. ‘C&C server at 89.185.85.102:9091’
• [T1095] Non-Application Layer Protocol – Communications may use non-application-layer protocols for C2/ops. ‘Non-Application Layer Protocol’ (as listed in the technique mapping).