Fortinet researchers have reported that the 8220 Gang has begun using a new crypter, ScrubCrypt, in cryptojacking attacks.
The group is known for exploiting publicly disclosed vulnerabilities to compromise targets, and in January and February 2023, the researchers observed attacks targeting an exploitable Oracle WebLogic Server.
The ScrubCrypt crypter obfuscates and encrypts applications to bypass security programs, and its unique BAT packing method is available for sale on hacking forums.
The researchers attributed the attacks to the 8220 Gang based on the crypto wallet address and server IP address used in the Monero miner, which have been used by the group in the past.
According to the report, the ScrubCrypt crypter is used to secure applications and is encoded to avoid detection by antivirus solutions. The researchers noted that the encrypted data can be split into four parts using a backslash, with the final two parts serving as the key and initial value for AES CBC decryption.
The group has evolved rapidly, moving from using public file-sharing websites to target vulnerabilities to using the ScrubCrypt variant of the crypter. The report concludes that the entire attack was launched by the 8220 Gang, despite the port number used no longer being 8220.
Organizations are encouraged to stay vigilant in monitoring their systems and applying patches to vulnerabilities promptly to reduce the risk of being targeted by the 8220 Gang or other threat actors.
Additionally, it is essential to have robust cybersecurity measures in place, such as firewalls and intrusion detection systems, to prevent or mitigate the impact of attacks.
Keeping antivirus solutions updated and regularly scanning systems for threats is also crucial in protecting against cryptomining attacks.
