Network Security, Threat Intelligence

Additional old Oracle WebLogic flaws used for cryptomining

Close up view of internet equipment and cables in the server room.

Vulnerable Oracle WebLogic Servers impacted by old flaws, tracked as CVE-2017-3506, CVE-2017-10271, and CVE-2023-21839, have been targeted as part of a cryptocurrency operation by the threat operation 8220 Gang, also known as Water Sigbin, The Hacker News reports.

After successfully infiltrating WebLogic Servers, attackers distributed a PowerShell script launching a WireGuard VPN app-spoofing initial stage loader that facilitated PureCrypter loader delivery, a Trend Micro analysis showed.

With PureCrypter enabling hardware data exfiltration, scheduled task creation, and Microsoft Defender Antivirus file exclusions, the XMRig cryptocurrency miner is eventually launched from the attackers' command-and-control server, researchers said.

Such a development follows a QiAnXin XLab team report describing how the Tsunami distributed denial-of-service botnet and PwnRig cryptominer were distributed by the 8220 Gang through the novel k4spreader installer tool.

"k4spreader is written in cgo, including system persistence, downloading and updating itself, and releasing other malware for execution," said QiAnXin XLab researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.