Happy Friday everyone!

#Cryptominers and #CVE20173506 is featured in today's #readoftheday! Trend Micro takes us through a riveting tale where the protagonist, #WaterSigbin, abuses a vulnerability in Oracle WebLogic Servers. After exploitation, a Base64-encoded payload is run that drops the initial stage loader named "wireguard2-3.exe", which masquerades itself as a legitimate VPN technology to help with it's defense evasion. It also plays a role in getting the attack to the next stages which involve DLL-reflection, C2 communication, and finally the #XMRig cyrptominer.

Significant details that are included is a scheduled task created for Windows Defender exclusion, some discovery using WMI, and another scheduled task for persistence. As usual, I am not going to spoil it all, go and have a read for yourself! Enjoy and Happy Hunting!

Notable MITRE ATT&CK TTPs (thanks to the authors):
TA0001 - Initial Access
T1190 - Exploit Public-Facing Application

TA0002 - Execution
T1059.001 - Command and Scripting Interpreter: PowerShell
T1047 - Windows Management Instumentation

TA0005 - Defense Evasion
T1620 - Reflective Code Loading
T1036.005 - Masquerading: Match Legitimate Name or Location
T1562.001 - Impair Defenses: Disable or Modify Tools

TA0003 - Persistence
T1053.005 - Scheduled Task/Job: Scheduled Task

TA0011 - Command And Control
T1571 - Non-Standard Port
T1071 - Application Layer Protocol

TA0007 - Discovery
T1057 - Process Discovery
T1012 - Query Registry

Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer
https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html

Intel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #gethunting