The notorious threat actor known as the “8220 Gang” has recently been linked to a new payload that targets vulnerable Oracle Weblogic Servers through a specific Uniform Resource Identifier (URI). Security researchers at Fortinet have conducted a detailed analysis of this payload, revealing that it involves the deployment of ScrubCrypt, a sophisticated form of malware designed to obfuscate and encrypt applications in order to evade detection by traditional security programs.
In a recent advisory, Fortinet’s senior antivirus analyst Cara Lin disclosed, “We have examined the malicious code injected into the victim’s system and have identified the threat actor as the 8220 Gang based on the indicators we have collected. This group first emerged in 2017 and derives its name from the use of port 8220 for network communications.”
Lin further explained that ScrubCrypt has undergone at least one update, with its creators claiming that the malware can circumvent Windows Defender and provide anti-debugging and bypass functionalities. The security researchers at Fortinet have obtained several samples of ScrubCrypt in February, each with slight variations. The attacks attributed to the 8220 Gang were observed between January and February 2023.
Moreover, Lin pointed out that both the crypto wallet address and server IP address utilized in these attacks had been previously associated with the 8220 Gang, despite the port number for the attacks no longer being 8220. She emphasized, “The 8220 Gang is a well-known mining group that typically exploits vulnerabilities in systems through public file-sharing websites to gain unauthorized access to a victim’s environment.”
Lin also highlighted that the threat actor has evolved rapidly, adopting a newer variant of crypter that incorporates evasion and encryption capabilities, making it increasingly challenging for antivirus programs to detect the group’s malicious activities. Lin advised users to stay vigilant against this updated crypter and ensure that their systems are up to date with the latest patches.
It is worth noting that Microsoft had previously detected the activities of the 8220 Gang, issuing a warning against them in July 2022. The persistence and adaptability of this threat actor underscore the importance of robust cybersecurity measures and proactive defense strategies to safeguard against emerging threats in the digital landscape.
As organizations continue to face evolving cyber threats, it is crucial to stay informed about the tactics employed by threat actors like the 8220 Gang and implement comprehensive security measures to mitigate the risks posed by such malicious entities.
Image credit: max.ku / Shutterstock.com