Decoding Water Sigbin's Latest Obfuscation Tricks
May 30, 2024, 7:31 a.m.
Tags
External References
Description
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hide malicious code, and fileless execution through .NET reflection. These evolving tactics underscore the necessity for robust cybersecurity measures like patch management and incident response plans.
Date
Published: May 30, 2024, 7:03 a.m.
Created: May 30, 2024, 7:03 a.m.
Modified: May 30, 2024, 7:31 a.m.
Indicators
91.92.248.35
89.169.52.37
87.121.105.232
45.15.158.154
46.226.164.8
187.172.128.146
185.172.128.146
http://187.172.128.146:443/bin.ps1
http://185.172.128.146:443/bin.ps1'
Attack Patterns
Water Sigbin
T1132.001
T1564.003
T1055.002
T1059.001
T1071.001
T1105
T1140
T1190
CVE-2023-21839
CVE-2017-3506