From 68d61732d104de3a8989312a37d201f28b3c0145 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 8 Jul 2024 02:28:35 -0700 Subject: [PATCH] [threat-actors] Add Water Sigbin --- clusters/threat-actor.json | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0f12c5a..c999330 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16336,6 +16336,27 @@ }, "uuid": "895548a2-e5c7-4a76-8425-19aa077db200", "value": "CloudSorcerer" + }, + { + "description": "The 8220 Gang, also known as Water Sigbin, is a threat actor group that focuses on deploying cryptocurrency-mining malware. They exploit vulnerabilities in Oracle WebLogic servers, such as CVE-2017-3506 and CVE-2023-21839, to deliver cryptocurrency miners using PowerShell scripts. The group has demonstrated a sophisticated multistage loading technique to deploy the PureCrypter loader and XMRIG crypto miner. They are known for using obfuscation techniques, such as hexadecimal encoding and code obfuscation, to evade detection and compromise systems.", + "meta": { + "country": "CN", + "refs": [ + "https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html", + "https://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html", + "https://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat", + "https://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/", + "https://asec.ahnlab.com/en/51568/", + "https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html", + "https://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134", + "https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/" + ], + "synonyms": [ + "8220 Gang" + ] + }, + "uuid": "745fd45f-9076-4c88-a977-01940bc0d36e", + "value": "Water Sigbin" } ], "version": 312