Old Cyber Gang Uses New Crypter – ScrubCrypt

Affected platforms: Windows
Impacted parties: Any organization
Impact: Cryptojacks vulnerable systems
Severity level: Critical

Between January and February 2023, FortiGuard Labs observed a payload targeting an exploitable Oracle Weblogic Server in a specific URI. This payload extracts ScrubCrypt, which obfuscates and encrypts applications and makes them able to dodge security programs. It already has an updated version, and the seller’s webpage (Figure 1) guarantees that it can bypass Windows Defender and provide anti-debug and some bypass functions.

We analyzed the malware injected into a victim’s system and, as part of our analysis, identified the threat actor as 8220 Gang using collected indicators. This mining group first appeared in 2017. The name “8220” comes from its original use of port 8220 for network communications.

In this article, we will elaborate on the details of ScrubCrypt and other malware delivered by this crypter in the past.

Initial access

Based on our observations over the past two months, these attacks originate from 163[.]123[.]142[.]210 and 185[.]17[.]0[.]19. The attackers have targeted an HTTP URI, “wls-wsat/CoordinatorPortType,” which belongs to an Oracle Weblogic server. The corresponding traffic capture is shown in Figure 2.

The attack attempts to download a PowerShell named “bypass.ps1”. The partial PowerShell script, “bypass.ps1,” shown in Figure 3, has had its main code and strings encoded to make it harder to be detected by AntiVirus solutions. After three rounds of adding constants, reversing, and Based64 decoding, we finally uncovered clear text. The first variable, “$c”, contains ScrubCrypt. The detail of this variable will be discussed in the next section. The rest of the variables, from “$d” to “$f”, are for AMSI and ETW evasion, which is executed by “iex” at the end of the attack.

After decoding “$c”, we find the script for the next step, shown in Figure 4. It has another Base64-encoded code saved in the victim’s temp folder with the filename “OracleUpdate.bat” to masquerade as a normal system file. Once the fake “update” file is decoded and saved, it executes with the Windows style “hidden” to silently load ScrubCrypt.

Technical analysis – the ScrubCrypt .BAT file

ScrubCrypt is a crypter used to secure applications with a unique BAT packing method. The batch file is shown in Figure 5. The encrypted data at the top can be split into four parts using backslash “\”. The final two parts are the key and iv for AES CBC decryption.

After Base64 decode, AES decryption, and unzip, we can finally see the code. The organized code in Figure 6 is a typical .NET Reflective Injection. In the last two lines of the code, the variable “$BmoFi” disables Event Tracing for Windows (ETW) by patching the EtwEventWrite function with 0xC3 (ret), and “$BbIpF” is used to invoke a .NET named “ScrubCrypt” for the final payload, shown in Figure 7.

Technical analysis – the ScrubCrypt .NET file

The .NET code first modifies the extension as null, checks to see if a debugger is attached, and checks the system’s operating system version to decide whether or not to proceed. It then gets the process ID to establish a melting file (self-delete) after execution, shown in Figure 8.

Then, it determines whether the current user belongs to the Windows user group “BUILTIN\Administrators” (RID: 0x220). If the user is not in that specific group, it decodes the “UAC” data from the “Resources” section and saves it to “C:\Windows\system32\perfmon.exe”. The DLL file is shown in Figure 9. It is used to retrieve username information from the compromised endpoint. It then decodes the PowerShell command: “cmd /c timeout /t 3 /nobreak & “C:\Windows\System32\perfmon.exe”” to pause the command processor for three seconds, ignore any keystrokes, and execute the DLL.

Next, it enumerates the driver in the system to bypass scans from Windows Defender using the command in Figure 10.

For persistence, it grabs registry values from “Run” and “RunOnce” to determine if this .NET file is already set. If not, it saves the .NET file to a “Roaming” folder named “BSLkE.bat” and adds a registry value to run a VBS file with the content shown in Figure 11.

Finally, it decodes data “P” from the “Resources” section using the XOR key in Figure 12 and unzips it. Then it loads the decoded data named “miner” in memory and invokes the payload, as shown in Figure 13.

Technical analysis – final payload

We collected several ScrubCrypt samples in February, and each payload is a little different. On 2/14, ScrubCrypt loads “miner” and invokes the process “explorer.exe” to start the miner process to server 45[.]142[.]122[.]11:8080, shown in Figures 14 and 15. This IP address and wallet were used for the 8220 Gang attack in January 2023.

On 2/15, ScrubCrypt extracted “bat”, which unzipped its array data and used “InvokeMember” to execute “Eoengmvsg.dll”, shown in Figure 16. It decodes the three C2 servers and three port numbers shown in Figure 17.  

Once that victim device receives the C2 server’s packets, it downloads another three files from 79[.]137[.]203[.]156, shown in Figure 18. The first, “miner.bat”, is a ScrubCrypt BAT file. The other two files are compressed PE files: “plugin_3.dll” and “plugin_4.dll” (Figure 19). They exhibit behavior similar to that described in this previous article.

On 2/16, ScrubCrypt loaded a module also named “bat’, as shown in Figure 20, but the data for its unzip is from its “Resources” section. It communicates with the same C2 server, and downloads two files from 163[.]123[.]142[.]210. These files are also compressed PE files named “plugin_3.dll” and “plugin_4.dll”. They are identical to the files from 2/15 and start crypto miner activity using the same configuration, as shown in Figure 21.

The crypto wallet address, 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ, and the server IP address used in Monero miner have all been used by the 8220 Gang in the past. It’s why we believe the whole attack was launched by this threat actor, although the port number used is no longer 8220.

Conclusion

8220 Gang is a well-known miner group that usually leverages public file-sharing websites and targets system vulnerabilities to infiltrate a victim’s environment. Within a very short time, it has evolved to use a newer crypter variant, “ScrubCrypt.” Below is its complete attack chain. ScrubCrypt includes evasion and encryption functions, making it harder for anti-virus programs to detect 8220 Gang activity. Users should be aware of this updated crypter and keep their systems patched.

Fortinet Protections

The malware described in this report are detected and blocked by FortiGuard Antivirus as:

PowerShell/Agent.YX!tr

BAT/ScrubCrypt.A!tr

MSIL/ScrubCrypt.AHRI!tr

MSIL/Agent.DUD!tr

MSIL/Agent.AHZU!tr

MSIL/GenKryptik.FYKQ!tr

MSIL/GenKryptik.GGHT!tr

MSIL/Agent.OBB!tr.dldr

Riskware/CoinMiner

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR, and the Fortinet AntiVirus engine is a part of each of those solutions. Customers running current AntiVirus updates are protected.

The FortiGuard Web Filtering Service blocks the malicious URL and IP address.

If you think this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard Incident Response Team.

IOCs

URLs:

su-95[.]letmaker[.]top

work[.]letmaker[.]top

IP Address:

163[.]123[.]142[.]210

185[.]17[.]0[.]19

79[.]137[.]203[.]156

209[.]141[.]38[.]219

45[.]142[.]122[.]11

179[.]43[.]155[.]202

Files:

d9e7d3dbb299f76bb8a84e3b72cc8e78e86ea90e2dc777cdcfd51dbd10657f47

179be54b3c2e29571fec9dcd16781eee3ce997c5352d9cce4834a10fc11d636b

20a8278b25d5c27e861dc5188f9ffd40fc45db4131245ce1020c6fa9909841d1

3422e84ca8e1ce5b106415d074667721772a7a8e9de3cd911665bad42145926c

a9d0af5af4cebbcce59ad5ef823a8d0ec71147799692c03be784f9e1670467ca

84f8580343323b8534d2321c1b8789df544c4941e12d8dfa5a1fbcd201b97e72

15cc89335d137fde5c61e540cd1c77718653ed7f359b206aeb85f25e5928096a

57223450820cbe9cf5779083b7d85c440bb8b529505c55579bfcc5816bf5c80a

9e2ddef83a3043de6a1f655a556fe3eca522656ad5e6056dd92ad13fa354b32f

4d3be48fd3dde635cccd87a9925749c5a166e9b52026b5277883c7f3ab50c520

55ba36d2ee2c5359dec3a425d27df9c3fb1ddede8cef74fd0bd69d38434609fd

2ad4c954313fe912a64c4116bf7ec5cbd2e6e3a88979f7b7c2863ca21ffc9dd9

0159c3b4fdff4ba89ff9e56bf2cdcdc8aaaa35d1fa4661288225e3701f8569b5

b3ceead8490dd68c344d5b009a8bf17ed7d24499a9d66dc3493033b5696f6632

13a11140bc0c62fbc8a364f71dfdf91a3ef321bb8c9c212b3af5eb576488a95e

0767cfa1fb304ba5ef61d25ddc580cf82170b84e6a04c856e84c6ad3ad98dc92

922c114c3a7f69b3210624f3e267cfc330969d17c5813cd328557b1476ef1858

21326ecbb4cf7fef735e04f8e51efd7c861f883844e22050eab8615c7605b2f5

e6834bbc9946e79f8888d30e52ae72552c37f160a8e6ce3f56ae5a88ed190e91

d6150fd4d9616788fcb6f765ab5052669feaf90ac926ad42a59f3abf4871edb8

4e46e6ca8c993761238af82e33a98aee97e80a3c8c80d418fb410e9556788d97

a12c34fef1d6475d99aa9af2e8bf1fd55bca83982a0ee2a9131ffd9fd15cb2a7

b62ea075cfc99980488bc206cba24ffcd4faccd8b1a80aec27d9d444c430095d

283db6a012cb9183f45674cb43303fa9b6c9a7ebab41c821dc0cc122ad3bb43

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.