8220 Gang Behind ScrubCrypt Attack Targeting Oracle Weblogic Server

Written by

The threat actor known as “8220 Gang” has been associated with a new payload targeting an exploitable Oracle Weblogic Server in a specific Uniform Resource Identifier (URI).

The payload, analyzed by Fortinet security researchers, is characterized by the extraction of ScrubCrypt, a type of malware designed to obfuscate and encrypt applications with the goal of evading detection by security programs.

“We analyzed the malware injected into a victim’s system and, as part of our analysis, identified the threat actor as 8220 Gang using collected indicators,” wrote Fortinet senior antivirus analyst Cara Lin in Wednesday’s advisory.  “This mining group first appeared in 2017. The name ‘8220’ comes from its original use of port 8220 for network communications.”

According to Lin, ScrubCrypt has already been updated at least once. Its creators guarantee the malware can bypass Windows Defender and provide anti-debug and some bypass functions.

“We collected several ScrubCrypt samples in February, and each payload is a little different,” the malware analyst wrote, adding that the attacks observed by Fortinet occurred between January and February 2023.

Further, the security expert said that both the crypto wallet address used in these attacks and the server IP address used in Monero miner had been used by the 8220 Gang in the past, making the link to the threat group possible (despite the port number used for attacks no longer being 8220).

“8220 Gang is a well-known miner group that usually leverages public file-sharing websites and targets system vulnerabilities to infiltrate a victim’s environment,” Lin added.

“Within a very short time, it has evolved to use a newer crypter variant [that] includes evasion and encryption functions, making it harder for antivirus programs to detect 8220 Gang activity. Users should be aware of this updated crypter and keep their systems patched.”

The threat actor’s activity was also observed by Microsoft last year, with the tech giant issuing a warning against the 8220 Gang in July 2022.

Editorial image credit: max.ku / Shutterstock.com

What’s hot on Infosecurity Magazine?