Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Decoding Water Sigbin's Latest Obfuscation Tricks

May 30, 2024, 7:31 a.m.

Description

The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hide malicious code, and fileless execution through .NET reflection. These evolving tactics underscore the necessity for robust cybersecurity measures like patch management and incident response plans.

Date

Published: May 30, 2024, 7:03 a.m.

Created: May 30, 2024, 7:03 a.m.

Modified: May 30, 2024, 7:31 a.m.

Indicators

91.92.248.35

89.169.52.37

87.121.105.232

45.15.158.154

46.226.164.8

187.172.128.146

185.172.128.146

http://187.172.128.146:443/bin.ps1

http://185.172.128.146:443/bin.ps1'

Attack Patterns

Water Sigbin

T1132.001

T1564.003

T1055.002

T1059.001

T1071.001

T1105

T1140

T1190

CVE-2023-21839

CVE-2017-3506