Examining Water Infection Routine Leading to an XMRig Cryptominer
Essential information
- Published
- 28/06/2024 07:39
- Modified
- 28/06/2024 07:57
- Tags
- 2024-06-28 CVE-2017-3506 CVE-2023-21839 cryptominer multi-stage loading obfuscation purecrypter vulnerability exploitation xmrig
- Related entities
- 2 vulnerabilities (cve), 13 observables, 1 intrusion sets (apt), 17 techniques (mitre), 2 malware
Description
This report details the multi-stage loading technique utilized by the threat actor Water Sigbin to deliver the PureCrypter loader and XMRig cryptocurrency miner. The actor exploits vulnerabilities in Oracle WebLogic servers, employing fileless execution tactics like DLL reflective and process injection to evade disk-based detection mechanisms. The malware uses code protection software and anti-debugging techniques for obfuscation, making analysis challenging.
External references
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/f/water-sigbin-xmrig/ioc-examining-water-sigbin-Infection-routine-leading-to-an-xmrig-cryptominer.txt
- https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html
- https://otx.alienvault.com/pulse/667e68ceab594ce0b8387ecc