FortiGuard Labs Threat Research
Affected platforms: Windows
Impacted parties: Any organization
Impact: Cryptojacks vulnerable systems
Severity level: Critical
Between January and February 2023, FortiGuard Labs observed a payload targeting an exploitable Oracle Weblogic Server in a specific URI. This payload extracts ScrubCrypt, which obfuscates and encrypts applications and makes them able to dodge security programs. It already has an updated version, and the seller’s webpage (Figure 1) guarantees that it can bypass Windows Defender and provide anti-debug and some bypass functions.
We analyzed the malware injected into a victim’s system and, as part of our analysis, identified the threat actor as 8220 Gang using collected indicators. This mining group first appeared in 2017. The name “8220” comes from its original use of port 8220 for network communications.
In this article, we will elaborate on the details of ScrubCrypt and other malware delivered by this crypter in the past.
Based on our observations over the past two months, these attacks originate from 163[.]123[.]142[.]210 and 185[.]17[.]0[.]19. The attackers have targeted an HTTP URI, “wls-wsat/CoordinatorPortType,” which belongs to an Oracle Weblogic server. The corresponding traffic capture is shown in Figure 2.
The attack attempts to download a PowerShell named “bypass.ps1”. The partial PowerShell script, “bypass.ps1,” shown in Figure 3, has had its main code and strings encoded to make it harder to be detected by AntiVirus solutions. After three rounds of adding constants, reversing, and Based64 decoding, we finally uncovered clear text. The first variable, “$c”, contains ScrubCrypt. The detail of this variable will be discussed in the next section. The rest of the variables, from “$d” to “$f”, are for AMSI and ETW evasion, which is executed by “iex” at the end of the attack.
After decoding “$c”, we find the script for the next step, shown in Figure 4. It has another Base64-encoded code saved in the victim’s temp folder with the filename “OracleUpdate.bat” to masquerade as a normal system file. Once the fake “update” file is decoded and saved, it executes with the Windows style “hidden” to silently load ScrubCrypt.
ScrubCrypt is a crypter used to secure applications with a unique BAT packing method. The batch file is shown in Figure 5. The encrypted data at the top can be split into four parts using backslash “\”. The final two parts are the key and iv for AES CBC decryption.
After Base64 decode, AES decryption, and unzip, we can finally see the code. The organized code in Figure 6 is a typical .NET Reflective Injection. In the last two lines of the code, the variable “$BmoFi” disables Event Tracing for Windows (ETW) by patching the EtwEventWrite function with 0xC3 (ret), and “$BbIpF” is used to invoke a .NET named “ScrubCrypt” for the final payload, shown in Figure 7.
The .NET code first modifies the extension as null, checks to see if a debugger is attached, and checks the system’s operating system version to decide whether or not to proceed. It then gets the process ID to establish a melting file (self-delete) after execution, shown in Figure 8.
Then, it determines whether the current user belongs to the Windows user group “BUILTIN\Administrators” (RID: 0x220). If the user is not in that specific group, it decodes the “UAC” data from the “Resources” section and saves it to “C:\Windows\system32\perfmon.exe”. The DLL file is shown in Figure 9. It is used to retrieve username information from the compromised endpoint. It then decodes the PowerShell command: “cmd /c timeout /t 3 /nobreak & “C:\Windows\System32\perfmon.exe”” to pause the command processor for three seconds, ignore any keystrokes, and execute the DLL.
Next, it enumerates the driver in the system to bypass scans from Windows Defender using the command in Figure 10.
For persistence, it grabs registry values from “Run” and “RunOnce” to determine if this .NET file is already set. If not, it saves the .NET file to a “Roaming” folder named “BSLkE.bat” and adds a registry value to run a VBS file with the content shown in Figure 11.
Finally, it decodes data “P” from the “Resources” section using the XOR key in Figure 12 and unzips it. Then it loads the decoded data named “miner” in memory and invokes the payload, as shown in Figure 13.
We collected several ScrubCrypt samples in February, and each payload is a little different. On 2/14, ScrubCrypt loads “miner” and invokes the process “explorer.exe” to start the miner process to server 45[.]142[.]122[.]11:8080, shown in Figures 14 and 15. This IP address and wallet were used for the 8220 Gang attack in January 2023.
On 2/15, ScrubCrypt extracted “bat”, which unzipped its array data and used “InvokeMember” to execute “Eoengmvsg.dll”, shown in Figure 16. It decodes the three C2 servers and three port numbers shown in Figure 17.
Once that victim device receives the C2 server’s packets, it downloads another three files from 79[.]137[.]203[.]156, shown in Figure 18. The first, “miner.bat”, is a ScrubCrypt BAT file. The other two files are compressed PE files: “plugin_3.dll” and “plugin_4.dll” (Figure 19). They exhibit behavior similar to that described in this previous article.
On 2/16, ScrubCrypt loaded a module also named “bat’, as shown in Figure 20, but the data for its unzip is from its “Resources” section. It communicates with the same C2 server, and downloads two files from 163[.]123[.]142[.]210. These files are also compressed PE files named “plugin_3.dll” and “plugin_4.dll”. They are identical to the files from 2/15 and start crypto miner activity using the same configuration, as shown in Figure 21.
The crypto wallet address, 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ, and the server IP address used in Monero miner have all been used by the 8220 Gang in the past. It’s why we believe the whole attack was launched by this threat actor, although the port number used is no longer 8220.
8220 Gang is a well-known miner group that usually leverages public file-sharing websites and targets system vulnerabilities to infiltrate a victim’s environment. Within a very short time, it has evolved to use a newer crypter variant, “ScrubCrypt.” Below is its complete attack chain. ScrubCrypt includes evasion and encryption functions, making it harder for anti-virus programs to detect 8220 Gang activity. Users should be aware of this updated crypter and keep their systems patched.
The malware described in this report are detected and blocked by FortiGuard Antivirus as:
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR, and the Fortinet AntiVirus engine is a part of each of those solutions. Customers running current AntiVirus updates are protected.
The FortiGuard Web Filtering Service blocks the malicious URL and IP address.
If you think this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard Incident Response Team.
Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.