8220 Gang used new ScrubCrypt crypter in recent cryptojacking attacks

A threat actor tracked as 8220 Gang has been spotted using a new crypter called ScrubCrypt in cryptojacking campaigns.

Fortinet researchers observed the mining group 8220 Gang using a new crypter called ScrubCrypt in cryptojacking attacks.

“Between January and February 2023, FortiGuard Labs observed a payload targeting an exploitable Oracle Weblogic Server in a specific URI.” reads the analysis published by Fortinet. “This payload extracts ScrubCrypt, which obfuscates and encrypts applications and makes them able to dodge security programs. It already has an updated version, and the seller’s webpage (Figure 1) guarantees that it can bypass Windows Defender and provide anti-debug and some bypass functions.”

The group is known for exploiting publicly disclosed vulnerabilities to compromise targets.

Between January and February, the experts observed attacks originating from 163[.]123[.]142[.]210 and 185[.]17[.]0[.]19 that targeted an HTTP URI, “wls-wsat/CoordinatorPortType.” This URI belongs to an Oracle Weblogic server.

Upon successful exploitation of vulnerable Oracle WebLogic servers, it will download a PowerShell script, named “bypass.ps1,” which contains the ScrubCrypt crypter.

The PowerShell script is encoded to avoid detection by AntiVirus solutions.

The ScrubCrypt crypter is available for sale on hacking forums, it allows securing applications with a unique BAT packing method.

The experts noticed that encrypted data at the top can be split into four parts using backslash “\”. The final two parts are the key and initial value for AES CBC decryption.

The attribution of the attacks to the 8220 Gang is also based on the crypto wallet address used in the recent campaigns and the server IP address used in the Monero miner.

“The crypto wallet address, 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ, and the server IP address used in Monero miner have all been used by the 8220 Gang in the past.” concludes the report. “It’s why we believe the whole attack was launched by this threat actor, although the port number used is no longer 8220.”

“8220 Gang is a well-known miner group that usually leverages public file-sharing websites and targets system vulnerabilities to infiltrate a victim’s environment. Within a very short time, it has evolved to use a newer crypter variant, “ScrubCrypt.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ScrubCrypt)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.