Decoding Water Sigbin's Latest Obfuscation Tricks
Essential information
- Published
- 30/05/2024 07:03
- Modified
- 30/05/2024 07:31
- Tags
- 2024-05-30 CVE-2017-3506 CVE-2023-21839 cryptocoin miner exploits powershell
- Related entities
- 2 vulnerabilities (cve), 9 observables, 1 intrusion sets (apt), 8 techniques (mitre)
Description
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hide malicious code, and fileless execution through .NET reflection. These evolving tactics underscore the necessity for robust cybersecurity measures like patch management and incident response plans.
External references
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/e/decoding-the-8220-gang-latest-obfuscation-tricks/decoding-the-8220-gangs-latest-obfuscation-tricks.txt
- https://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html
- https://otx.alienvault.com/pulse/665824da76f378098bbeec55