Vulnerable Oracle WebLogic servers are being subjected to cryptojacking attacks by the cryptomining operation 8220 Gang using the ScrubCrypt crypter, reports The Hacker News.
Aside from evading Windows Defender protections, ScrubCrypt also features debugging and virtual machine environment monitoring capabilities, a report from Fortinet FortiGuard Labs showed. ScrubCrypt then enables miner payload decoding and loader to commence the mining process.
"ScrubCrypt is a crypter used to secure applications with a unique BAT packing method. The encrypted data at the top can be split into four parts using backslash ''," said researcher Cara Lin.
The Fortinet report comes after the 8220 Gang, which is known for using publicly disclosed flaws in its operations, was reported by Sysdig to have compromised Apache and Oracle WebLogic servers to facilitate XMRig miner deployment between November 2022 and January 2023.
Other threat actors have also leveraged malicious VBA macro-laced Microsoft Excel documents to enable Monero-mining cryptojacking attacks in January.