Back

Examining Water Infection Routine Leading to an XMRig Cryptominer

June 28, 2024, 7:57 a.m.

Tags

obfuscation
xmrig
purecrypter
cryptominer
CVE-2023-21839
CVE-2017-3506
2024-06-28
vulnerability exploitation
multi-stage loading

External References

https://www.trendmicro.com/

https://www.trendmicro.com/

https://otx.alienvault.com/

Description

This report details the multi-stage loading technique utilized by the threat actor Water Sigbin to deliver the PureCrypter loader and XMRig cryptocurrency miner. The actor exploits vulnerabilities in Oracle WebLogic servers, employing fileless execution tactics like DLL reflective and process injection to evade disk-based detection mechanisms. The malware uses code protection software and anti-debugging techniques for obfuscation, making analysis challenging.

Date

Published Created Modified
June 28, 2024, 7:39 a.m. June 28, 2024, 7:39 a.m. June 28, 2024, 7:57 a.m.

Indicators

e6e69e85962a402a35cbc5b75571dab3739c0b2f3861ba5853dbd140bae4e4da

f4d11b36a844a68bf9718cf720984468583efa6664fc99966115a44b9a20aa33

b380b771c7f5c2c26750e281101873772e10c8c1a0d2a2ff0aff1912b569ab93

5d8d6871c3d59d855616603f686713ac48bf2351f6182ea282e1d84cbb15b94f

2e32c5cea00f8e4c808eae806b14585e8672385df7449d2f6575927537ce8884

0bf87b0e65713bf35c8cf54c9fa0015fa629624fd590cb4ba941cd7cdeda8050

79.110.49.232

89.185.85.102

217.182.205.238

89.169.52.37

87.121.105.232

http://79.110.49.232/plugin3.dll

http://87.121.105.232/bin.ps1

Attack Patterns

PureCrypter

XMRig

Water Sigbin

T1053.005

T1055.012

T1059.001

T1571

T1012

T1095

T1518.001

T1036.005

T1562.001

T1082

T1057

T1071

T1047

T1140

T1112

T1001

T1190

CVE-2023-21839

CVE-2017-3506