Between January and February 2023, FortiGuard Labs observed a payload targeting an exploitable Oracle Weblogic Server in a specific URI.
This payload extracts ScrubCrypt, which obfuscates and encrypts applications and makes them able to dodge security programs. It already has an updated version, and the seller's webpage (Figure 1) guarantees that it can bypass Windows Defender and provide anti-debug and some bypass functions.
We analyzed the malware injected into a victim's system and, as part of our analysis, identified the threat actor as 8220 Gang using collected indicators. This mining group first appeared in 2017. The name '8220' comes from its original use of port 8220 for network communications.
Read More ...