Decoding Water Sigbin's Latest Obfuscation Tricks
-
Water Sigbin (aka the 8220 Gang) is a China-based threat actor that has been active since at least 2017. It focuses on deploying cryptocurrency-mining malware, primarily in cloud-based environments and Linux servers. The group has been known to integrate vulnerability exploitation as part of its wide array of TTPs. In our previous discussion on the the group's tactics, we looked into how it operates using ever-evolving and complex methods. However, cyberthreats rarely remain stagnant, with threat actors constantly finding new ways to outsmart defenders. Recently, we’ve observed the Water Sigbin using new techniques and methods to hide its activities, making the group’s attacks more difficult to defend systems against. We found the threat actor exploiting vulnerabilities with Oracle WebLogic server CVE-2017-3506 (a vulnerability allowing remote OS command execution) and CVE-2023-21839 (an insecure deserialization vulnerability) to deploy a cryptocurrency miner via a PowerShell script named bin.ps1 on the victim host. Upon closer examination of the group’s tools, tactics and procedures (TTPs), we determined the exploitation to be the work of Water Sigbin, indicating that it is continuously updating its deployment scripts and tools. We found exploitation attempts in both Linux and Windows machines, with the threat actor deploying shell scripts in the former and a PowerShell script in the latter. For our analysis, we will refer to the techniques used in the Windows version of the exploitation, which shows a noteworthy obfuscation technique used by Water Sigbin.
ที่มาแหล่งข่าว
https://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html
