Examining Water Infection Routine Leading to an XMRig Cryptominer
June 28, 2024, 7:57 a.m.
Description
This report details the multi-stage loading technique utilized by the threat actor Water Sigbin to deliver the PureCrypter loader and XMRig cryptocurrency miner. The actor exploits vulnerabilities in Oracle WebLogic servers, employing fileless execution tactics like DLL reflective and process injection to evade disk-based detection mechanisms. The malware uses code protection software and anti-debugging techniques for obfuscation, making analysis challenging.
External References
Tags
Date
- Created: June 28, 2024, 7:39 a.m.
- Published: June 28, 2024, 7:39 a.m.
- Modified: June 28, 2024, 7:57 a.m.
Indicators
- e6e69e85962a402a35cbc5b75571dab3739c0b2f3861ba5853dbd140bae4e4da
- f4d11b36a844a68bf9718cf720984468583efa6664fc99966115a44b9a20aa33
- b380b771c7f5c2c26750e281101873772e10c8c1a0d2a2ff0aff1912b569ab93
- 5d8d6871c3d59d855616603f686713ac48bf2351f6182ea282e1d84cbb15b94f
- 2e32c5cea00f8e4c808eae806b14585e8672385df7449d2f6575927537ce8884
- 0bf87b0e65713bf35c8cf54c9fa0015fa629624fd590cb4ba941cd7cdeda8050
- 79.110.49.232
- 89.185.85.102
- 217.182.205.238
- 89.169.52.37
- 87.121.105.232
- http://79.110.49.232/plugin3.dll
- http://87.121.105.232/bin.ps1
Attack Patterns
- PureCrypter
- XMRig
- Water Sigbin
- T1053.005
- T1055.012
- T1059.001
- T1571
- T1012
- T1095
- T1518.001
- T1036.005
- T1562.001
- T1082
- T1057
- T1071
- T1047
- T1140
- T1112
- T1001
- T1190
- CVE-2023-21839
- CVE-2017-3506