Back

Decoding Water Sigbin's Latest Obfuscation Tricks

May 30, 2024, 7:31 a.m.

Tags

powershell
2024-05-30
exploits
CVE-2023-21839
cryptocoin miner
CVE-2017-3506

External References

https://www.trendmicro.com/

https://www.trendmicro.com/

https://otx.alienvault.com/

Description

The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hide malicious code, and fileless execution through .NET reflection. These evolving tactics underscore the necessity for robust cybersecurity measures like patch management and incident response plans.

Date

Published Created Modified
May 30, 2024, 7:03 a.m. May 30, 2024, 7:03 a.m. May 30, 2024, 7:31 a.m.

Indicators

http://187.172.128.146:443/bin.ps1

http://185.172.128.146:443/bin.ps1'

Attack Patterns

Water Sigbin

T1132.001

T1564.003

T1055.002

T1059.001

T1071.001

T1105

T1140

T1190

CVE-2023-21839

CVE-2017-3506