Vulnerable Oracle WebLogic Servers impacted by old flaws, tracked as CVE-2017-3506, CVE-2017-10271, and CVE-2023-21839, have been targeted as part of a cryptocurrency operation by the threat operation 8220 Gang, also known as Water Sigbin, The Hacker News reports.
After successfully infiltrating WebLogic Servers, attackers distributed a PowerShell script launching a WireGuard VPN app-spoofing initial stage loader that facilitated PureCrypter loader delivery, a Trend Micro analysis showed.
With PureCrypter enabling hardware data exfiltration, scheduled task creation, and Microsoft Defender Antivirus file exclusions, the XMRig cryptocurrency miner is eventually launched from the attackers' command-and-control server, researchers said.
Such a development follows a QiAnXin XLab team report describing how the Tsunami distributed denial-of-service botnet and PwnRig cryptominer were distributed by the 8220 Gang through the novel k4spreader installer tool.
"k4spreader is written in cgo, including system persistence, downloading and updating itself, and releasing other malware for execution," said QiAnXin XLab researchers.
