Water Sigbin exploited Oracle WebLogic vulnerabilities CVE-2017-3506 and CVE-2023-21839 to deploy a cryptocurrency miner via a PowerShell script. The group uses advanced obfuscation and fileless techniques to conceal activity across Windows and Linux environments. #WaterSigbin #8220Gang #CVE-2017-3506 #CVE-2023-21839 #OracleWebLogic #PowerShell
Keypoints
- Water Sigbin (the 8220 Gang) exploited CVE-2017-3506 and CVE-2023-21839 on Oracle WebLogic to deploy a cryptocurrency miner via bin.ps1.
- The attack chain relies on obfuscation, including hexadecimal URL encoding and using HTTP over port 443 for stealthy delivery.
- The PowerShell script and resulting batch file use complex encoding and environment variables to hide malicious code.
- Fileless execution is achieved through .NET/Reflection techniques in PowerShell, enabling in-memory malware execution.
- Water Sigbin continuously evolves its tools and TTPs, underscoring the need for ongoing patching, training, and incident response planning.
- Recommendations emphasize patch management, network segmentation, regular audits, security awareness, incident response, and threat intelligence.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The attacker exploited Oracle WebLogic vulnerabilities CVE-2017-3506 and CVE-2023-21839 to deploy a cryptocurrency miner via a PowerShell script. ‘exploiting vulnerabilities CVE-2017-3506 and CVE-2023-21839 to deploy a cryptocurrency miner via a PowerShell script.’
- [T1059.001] Command and Scripting Interpreter: PowerShell – The attack relies on a PowerShell script (bin.ps1) to deliver the payload. ‘PowerShell script named bin.ps1 on the victim host.’
- [T1140] Deobfuscate/Decode Files or Information – The base64-encoded content is decoded to reveal core script elements. ‘The base64-encoded content decoded by the Convert-Base64ToFileAndExecuteSilently function in the bin.ps1 file reveals the core script elements.’
- [T1027.010] Obfuscated Files or Information: Command Obfuscation – The microsoft_office365.bat script uses environment variables to obfuscate the code. ‘The microsoft_office365.bat script employs environment variables to obfuscate the original script code.’
- [T1564.003] Hide Artifacts: Hidden Window – The delivery includes starting a new command prompt in minimized mode to hide the window. ‘start a new command prompt window in minimized mode.’
- [T1620] Reflective Code Loading – In-memory, reflective loading is used to run code without touching disk. ‘By leveraging “System.Reflection.Assembly,” the attacker orchestrates a fileless execution strategy, ensuring that all operations occur solely in memory.’
- [T1055.002] Process Injection: Portable Executable Injection – The fileless approach is consistent with in-memory execution techniques that bypass disk-based defenses. ‘By leveraging “System.Reflection.Assembly,” the attacker orchestrates a fileless execution strategy, ensuring that all operations occur solely in memory.’
- [T1132.001] Data Encoding: Standard Encoding – The payload uses base64 encoding and decoding steps to conceal content. ‘Decodes the base64 string (Convert.FromBase64String)’;
- [T1071.001] Application Layer Protocol: Web Protocols – The payload communicates via HTTP over port 443. ‘Employing HTTP over port 443 for stealthy communication.’
- [T1105] Ingress Tool Transfer – The attackers download the PowerShell script from a remote URL. ‘the URL used to download and deploy the PowerShell script is depicted in the following image’
Indicators of Compromise
- [IP Address] – payload delivery endpoints used to fetch bin.ps1: 187.172.128.146:443/bin[.]ps1, 185.172.128.146:443/bin.ps1
- [File Name] – bin.ps1, microsoft_office365.bat
Read more: https://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html