Old Cyber Gang Uses New Crypter – ScrubCrypt | FortiGuard Labs

MITRE Techniques

• [T1190] Exploit Public-Facing Application – The attackers target an exploitable Oracle WebLogic Server via a URI: ‘wls-wsat/CoordinatorPortType’. Quote: ‘The attackers have targeted an HTTP URI, “wls-wsat/CoordinatorPortType,” which belongs to an Oracle Weblogic server.’
• [T1059.001] Command and Scripting Interpreter: PowerShell – The attack downloads a PowerShell script named “bypass.ps1.” Quote: ‘The attack attempts to download a PowerShell named “bypass.ps1”.’
• [T1140] Deobfuscate/Decode Files or Information – Reversing and Base64 decoding after constants are added to reveal clear text. Quote: ‘three rounds of adding constants, reversing, and Base64 decoding, we finally uncovered clear text.’
• [T1055] Process Injection (Reflective) – The final payload uses typical .NET Reflective Injection to execute in memory. Quote: ‘The organized code in Figure 6 is a typical .NET Reflective Injection.’
• [T1562.001] Impair Defenses: Disable or Modify Tools – AMSI/ETW evasion and Windows Defender bypass techniques are employed. Quote: ‘AMSI and ETW evasion, which is executed by “iex” at the end of the attack.’
• [T1547.001] Boot or Logon Autostart: Registry Run Keys / Startup Folder – Persistence via Run/RunOnce registry entries and a dropped VBS script. Quote: ‘For persistence, it grabs registry values from “Run” and “RunOnce” to determine if this .NET file is already set… adds a registry value to run a VBS file with the content shown in Figure 11.’
• [T1033] Account Discovery – The malware decodes a UAC-related artifact and retrieves username information from the compromised endpoint. Quote: ‘It is used to retrieve username information from the compromised endpoint.’
• [T1548.002] Abuse Elevation Control: Bypass User Account Control – UAC bypass behavior is indicated by checks against BUILTINAdministrators and decoding UAC data. Quote: ‘If the user is not in that specific group, it decodes the “UAC” data from the “Resources” section…’
• [T1059.005] Command and Scripting Interpreter: Visual Basic / VBScript (via VBS file) – The registry-based persistence uses a VBScript file;Quote: ‘adds a registry value to run a VBS file with the content shown in Figure 11.’
• [T1055] Process Injection (Memory-Resident) – The miner is loaded in memory and invoked from a decoded payload. Quote: ‘loads the decoded data named “miner” in memory and invokes the payload.’
• [T1071.001] Web Protocols – The final miner communicates with a C2 server over a network. Quote: ‘to start the miner process to server 45[.]142[.]122[.]11:8080.’
• [T1496] Resource Hijacking – The final payload engages in crypto-mining activity using a wallet address. Quote: ‘The crypto wallet address… and the server IP address used in Monero miner have all been used by the 8220 Gang in the past.’