HQ/EMEAFind out how we can help your business
The 8220 malicious threat group has reemerged and targets the Oracle Weblogic server vulnerabilities using the ScrubCrypt crypter. Based on reports, the group uses the newly discovered crypter since it could provide them with the ability to bypass security systems and avoid debugging tools.
The 8220 gang has been very active since the start of 2023. This group has executed new attack campaigns that used the same infrastructure in numerous attacks last January and February. This campaign’s hacker attacks the Oracle WebLogic server-connected HTTP URI to acquire initial access to the targeted device.
Subsequently, the adversaries download a PowerShell script, which uses encoded code and strings to bypass security detections from anti-malware solutions. The hand contains an encoded file stored on the compromised device to impersonate a system file so the malware can avoid detection. This method then loads the ScrubCrypt.
The ScrubCrypt crypter operators claim it could bypass all known security programs by modifying its settings.
According to investigations, the developers of the ScrubCrypt crypter endorse its product as a tool that could encrypt and modify applications so it could bypass every security program like Windows Defender.
Additionally, the tool could detect debugging software and virtual devices on the targeted machine. It could also review the targeted OS version, enabling its operators to decide whether to continue the operation.
The tool could also establish its persistence in the compromised target by altering registry entries. Lastly, ScrubCrypt could decrypt a payload, load in memory, miner, and launch the file to process the deployment of Monero.
Researchers noted that the 8220 gang had used the same mining tactic and IP addresses they previously used in their attacks.
The recent 8220 cybercriminal operation of abusing the Oracle Weblogic server and the utilisation of ScrubCrypt implies that they are always looking for techniques to avoid detections. Therefore, cybersecurity experts recommend that users follow a strict update management program and adopt anti-malware solutions to prevent the attacks of the 8220 gang.
