ScrubCrypt Attack Detection

Threat actors tracked as 8220 Gang have been observed leveraging a new crypter called ScrubCrypt, which targets Oracle WebLogic servers. According to cybersecurity researchers, the infection chain is triggered by the successful exploitation of compromised Oracle WebLogic servers and leads to spreading the ScrubCrypt by downloading a PowerShell script.

Detect ScrubCrypt Attacks Targeting Oracle Weblogic Servers

In view of constantly growing volumes and sophistication of cryptomining campaigns, organizations are looking for a reliable way to detect cyber attacks at the earliest stages of their development. The latest 8820 Gang operation expose Oracle WebLogic servers to proceed with ScrubCrypt infection, posing an increasing menace to cyber defenders due to use of muultiple anti-analysis and evasive techniques. 

To hep organizations proactively detect malicious activity associated with ScrubCrypt infections, SOC Prime’s Detection as Code Platform offers a new Sigma rule by our keen Threat Bounty developer Aytek Aytemur

Suspicious PowerShell Commands to Execute Malicious DLL by ScrubCrypt Malware (via cmdline)

The rule above detects suspicious PowerShell commands used to pause the command processor, ignore any keystrokes, and execute the DLL in course of ScrubCrypt malware attacks. The detection is aligned with the MITRE ATT&CK framework v12, addressing the Execution and Defense Evasion tactics with Command and Scripting Interpreter (T1059) and Process Injection (T1055) applied as primary techniques. The Sigma rule can be automatically translated into 22 SIEM, EDR, and XDR solutions shaving seconds off cross-platform threat detection.

Striving to master your Sigma and ATT&CK knowledge while polishing detecion engineering skills? Excited about gaining recognition among industry peers and coding your CV for future employers? Join our Threat Bounty Program to share your Sigma rules with 33K+ experts of the global cyber defender community, get your code verified by experts in the field, and gain financial benefits while making the world a safer place. 

To be fully equipped with detection content against cryptominging malware samples, hit the Explore Detections button and access the extensive list of relevant rules enriched with CTI, ATT&CK references, and other actionable operational metadata to foster streamlined threat investigation.

Explore Detections

ScrubCrypt Malware Distribution: Cryptojacking Attack Analysis

FortiGuard Labs researchers have been keeping a close eye on the ongoing cryptojacking operations of the 8220 Gang since the beginning of 2023, in which threat actors leverage a novel malware strain dubbed ScrubCrypt. ScrubCrypt is a novel malware strain applied to secure applications through a custom BAT packing method. 

Threat actors behind these cryptojacking attacks belong to an infamous cryptocurrency miner hacking collective known as 8220 Gang. Threat actors apply a malicious PowerShell script to exploit Oracle WebLogic servers via a specific HTTP URI and drop ScrubCrypt on the compromised instances leading to their obfuscation. The malware leverages detection evasion techniques, sophisticated encryption functions, and is capable of bypassing a set of anti-malware analysis capabilities, which poses a challenge to cyber defenders.

ScrubCrypt malware operators have been in the limelight in the cyber threat arena since 2017, primarily making use of public file-sharing websites. The group has received its moniker due to the original use of port 8220 for network communications. The 8220 Gang activity mainly targets cloud network users, including AWS and Azure customers who run unpatched Linux applications, however, in the latest cryptojacking campaigns, threat actors set eyes on Windows Defender protection. In mid-summer 2022, 8220 Gang, aka 8220 Mining Group, exploited a novel iteration of the IRC botnet, PwnRig cryptocurrency miner, and has been experimenting with new crypters since the beginning of their malicious activity.

Due to the increasing numbers of attacks leveraging cryptocurrency miners, security professionals are looking for new ways to enhance cyber defense capabilities and remediate the related threats. Equip your teams with better tooling and instantly access Sigma rules to detect current and emerging cryptojacking attacks and translate them in a matter of seconds into 27+ SIEM, EDR, and XDR solutions via Uncoder.IO — for free and without registration — shaving seconds off your daily SOC operations.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts