Decoding Water Sigbin's Latest Obfuscation Tricks

May 30, 2024, 7:31 a.m.

Description

The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hide malicious code, and fileless execution through .NET reflection. These evolving tactics underscore the necessity for robust cybersecurity measures like patch management and incident response plans.

External References

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/e/decoding-the-8220-gang-latest-obfuscation-tricks/decoding-the-8220-gangs-latest-obfuscation-tricks.txt
https://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html
https://otx.alienvault.com/pulse/665824da76f378098bbeec55
Tags
powershell
2024-05-30
exploits
CVE-2023-21839
cryptocoin miner
CVE-2017-3506

Date

  • Created: May 30, 2024, 7:03 a.m.
  • Published: May 30, 2024, 7:03 a.m.
  • Modified: May 30, 2024, 7:31 a.m.

Indicators

  • 91.92.248.35
  • 89.169.52.37
  • 87.121.105.232
  • 45.15.158.154
  • 46.226.164.8
  • 187.172.128.146
  • 185.172.128.146
  • http://187.172.128.146:443/bin.ps1
  • http://185.172.128.146:443/bin.ps1'
Download all indicators here!

Attack Patterns

  • Water Sigbin
  • T1132.001
  • T1564.003
  • T1055.002
  • T1059.001
  • T1071.001
  • T1105
  • T1140
  • T1190

Linked vulnerabilities

CVE-2017-3506

None
Published:

CVE-2023-21839

None
Published: