Happy Friday everyone!
#Cryptominers and #CVE20173506 is featured in today's #readoftheday! Trend Micro takes us through a riveting tale where the protagonist, #WaterSigbin, abuses a vulnerability in Oracle WebLogic Servers. After exploitation, a Base64-encoded payload is run that drops the initial stage loader named "wireguard2-3.exe", which masquerades itself as a legitimate VPN technology to help with it's defense evasion. It also plays a role in getting the attack to the next stages which involve DLL-reflection, C2 communication, and finally the #XMRig cyrptominer.
Significant details that are included is a scheduled task created for Windows Defender exclusion, some discovery using WMI, and another scheduled task for persistence. As usual, I am not going to spoil it all, go and have a read for yourself! Enjoy and Happy Hunting!
Notable MITRE ATT&CK TTPs (thanks to the authors):
TA0001 - Initial Access
T1190 - Exploit Public-Facing Application
TA0002 - Execution
T1059.001 - Command and Scripting Interpreter: PowerShell
T1047 - Windows Management Instumentation
TA0005 - Defense Evasion
T1620 - Reflective Code Loading
T1036.005 - Masquerading: Match Legitimate Name or Location
T1562.001 - Impair Defenses: Disable or Modify Tools
TA0003 - Persistence
T1053.005 - Scheduled Task/Job: Scheduled Task
TA0011 - Command And Control
T1571 - Non-Standard Port
T1071 - Application Layer Protocol
TA0007 - Discovery
T1057 - Process Discovery
T1012 - Query Registry
Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer
https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html
Intel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #gethunting
"All You Need to Know About Emotet in 2022"
#Emotet #malware > #XMRig #CobaltStrike #IcedID #exploitkit #trojan
#cybersecurity #infosec #TTP #IoC
https://thehackernews.com/2022/11/all-you-need-to-know-about-emotet-in.html