Examining Water Infection Routine Leading to an XMRig Cryptominer

June 28, 2024, 7:57 a.m.

Description

This report details the multi-stage loading technique utilized by the threat actor Water Sigbin to deliver the PureCrypter loader and XMRig cryptocurrency miner. The actor exploits vulnerabilities in Oracle WebLogic servers, employing fileless execution tactics like DLL reflective and process injection to evade disk-based detection mechanisms. The malware uses code protection software and anti-debugging techniques for obfuscation, making analysis challenging.

Date

  • Created: June 28, 2024, 7:39 a.m.
  • Published: June 28, 2024, 7:39 a.m.
  • Modified: June 28, 2024, 7:57 a.m.

Indicators

  • e6e69e85962a402a35cbc5b75571dab3739c0b2f3861ba5853dbd140bae4e4da
  • f4d11b36a844a68bf9718cf720984468583efa6664fc99966115a44b9a20aa33
  • b380b771c7f5c2c26750e281101873772e10c8c1a0d2a2ff0aff1912b569ab93
  • 5d8d6871c3d59d855616603f686713ac48bf2351f6182ea282e1d84cbb15b94f
  • 2e32c5cea00f8e4c808eae806b14585e8672385df7449d2f6575927537ce8884
  • 0bf87b0e65713bf35c8cf54c9fa0015fa629624fd590cb4ba941cd7cdeda8050
  • 79.110.49.232
  • 89.185.85.102
  • 217.182.205.238
  • 89.169.52.37
  • 87.121.105.232
  • http://79.110.49.232/plugin3.dll
  • http://87.121.105.232/bin.ps1

Attack Patterns

  • PureCrypter
  • XMRig
  • Water Sigbin
  • T1053.005
  • T1055.012
  • T1059.001
  • T1571
  • T1012
  • T1095
  • T1518.001
  • T1036.005
  • T1562.001
  • T1082
  • T1057
  • T1071
  • T1047
  • T1140
  • T1112
  • T1001
  • T1190
  • CVE-2023-21839
  • CVE-2017-3506