{ "id": "2be054cb-1e06-4928-812a-74c29edc35f9", "created_at": "2026-04-06T00:18:41.873339Z", "updated_at": "2026-04-10T03:30:57.388154Z", "deleted_at": null, "sha1_hash": "3d6f14c33e71f44bea4cd45c01d3adbc02bf919a", "title": "8220 Gang Evolves With New Strategies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3580936, "plain_text": "8220 Gang Evolves With New Strategies\r\nBy By: Sunil Bharti May 16, 2023 Read time: 5 min (1223 words)\r\nPublished: 2023-05-16 · Archived: 2026-04-05 13:42:14 UTC\r\nExploits \u0026 Vulnerabilities\r\nWe observed the threat actor group known as “8220 Gang” employing new strategies for their respective campaigns,\r\nincluding exploits for the Linux utility “lwp-download” and CVE-2017-3506, an Oracle WebLogic vulnerability.\r\nUpdate as of 7/25/2023 3:40PM PHT: Updated the indicators of compromise.\r\n8220 Gang (also known as “8220 Mining Group,” derived from their use of port 8220 for command and control or C\u0026C\r\ncommunications exchange) has been active since 2017 and continues to scan for vulnerable applications in cloud and\r\ncontainer environments. Researchers have documented this group targeting Oracle WebLogic, Apache Log4j, Atlassian\r\nConfluence vulnerabilities, and misconfigured Docker containers to deploy cryptocurrency miners in both Linux and\r\nMicrosoft Windows hosts. The group was documented to have used Tsunami malware, XMRIG cryptominer, masscan, and\r\nspirit, among other tools in their campaigns.\r\nLooking at other researchers’ documentation on the gang’s recent activities, it appears as if the threat actor has been active in\r\nrecentnews article months. This article explores a recent attack observed exploiting the Oracle WebLogic vulnerability CVE-2017-3506 captured by one of our honeypots. This vulnerability, with a CVSS score of 7.4, impacts the WLS Security\r\nComponent of Oracle WebLogic, and when exploited can enable attackers to execute arbitrary commands through an HTTP\r\nrequest remotely with a specifically crafted XML document. This allows attackers to gain unauthorised access to sensitive\r\ndata or compromise the entire system.\r\nEntry point\r\nhttps://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html\r\nPage 1 of 8\n\nFigure 1. Exploiting CVE-2017-3506\r\nAttackers exploited the HTTP URI (Uniform Resource Identifier) \"wls-wsat/CoordinatorPortType\" as an entry point to\r\ntarget an Oracle WebLogic server leveraging the CVE-2017-3506 vulnerability.\r\nFigure 2. Post request to vulnerable resource\r\nOn entry, 8220 Gang delivered a PowerShell script that downloads and creates other dropper files using the said six-year old\r\nvulnerability. In recent attacks, we also observed the group using “lwp-download,” a Linux utility for downloading a file\r\nspecified by the URL. In this entry, we detail another routine targeting Windows systems.\r\nFigure 3. Use of the lwp-download utility\r\nInfection routine\r\nThe attack payload executes a PowerShell command encoded using Base64. Upon decoding, it executes a command that\r\nopens a hidden PowerShell window (-NonI -W Hidden) with no profile loaded (-NoP), and bypasses execution policies (-\r\nExec Bypass). The decoded command downloads and executes a PowerShell script from\r\nhttp[:]//185[.]17[.]0[.]199/bypass.ps1 without displaying any visible output to the user. The Base64-encoded string\r\ndownloads a PowerShell script “bypass.ps1.”\r\nFigure 4. Attack payload\r\nFigure 5. URL after Base64 decoding\r\nhttps://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html\r\nPage 2 of 8\n\nFigure 6. Process flow of bypass.ps1\r\nThe PowerShell script decodes multiple Base64-encoded byte arrays to create another obfuscated PowerShell script in\r\nmemory and executes it using “iex” (Invoke-Expression) commandlet.\r\nhttps://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html\r\nPage 3 of 8\n\nFigure 7. Contents of the bypass.ps1 PowerShell script\r\nAll the variables assigned to byte arrays contain Base64-encoded strings (in this case, the $c byte array). These byte arrays\r\nare used later in the script for deobfuscation purposes. Once computation is done for the $cc variable, it stores the decoded\r\nvalue of the $c byte array, which is the PowerShell script that gets executed in memory without writing the script on the\r\ndisk. Decoding the $c variable using ASCII, the result is identified as the $cc variable and executes the PowerShell script.\r\nThe new PowerShell script performs the following tasks:\r\n1.      It disables the AMSI detection. The code sets the value of “amsiInitFailed” field from\r\n\u003cSystem.Management.Automation.AmsiUtils\u003e class to “True” to achieve AMSI unhooking so that no scanning action will\r\nbe done for the current process. To update the value of “amsiInitFaild,” it uses .NET reflection to assign a value of “True,”\r\nas observed in the bypass command.\r\nFigure 8. AMSI detection bypass\r\n2.      After disabling AMSI detection, it defines the path to write the malicious binary file into the Windows “temp”\r\ndirectory.\r\nFigure 9. Malicious binary path\r\n3.      Next, it writes the binary file in the specified in the “$eXE_PaTh” variable. This code section decodes the Base64\r\nstring into a byte array, which is a binary code, and uses .Net class System.IO to write the binary file on the disk.\r\nFigure 10. Binary file write to disk\r\nhttps://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html\r\nPage 4 of 8\n\n4.       At the end of the script, the PowerShell executes the newly written binary file in the Windows “temp” directory using\r\nthe “-WindowStyle Hidden” parameter in the command without displaying any user interface.\r\nFigure 11. Binary execution\r\nThe file \"Winscp-setup-1867.exe\" is responsible for downloading the file \"Ebvjmba.dat\" by continuously sending a GET\r\nrequest to its server http[:]//79[.]137[.]203[.]156/Ebvjmba.dat. After executing Winscp-setup-1867.exe, a DLL file contacts\r\nthe file server to download the DAT file dropper from 79[.]137[.]203[.]156, which is an IP address we determined to be the\r\nC\u0026C server. The DLL file uses the .NET framework's “HttpClient” class to send an HTTP GET request to the specified\r\nasset URL.\r\nFigure 12. Function that downloads the DAT file using .net code from the dissembler\r\nFigure 13. Network traffic capture of file download\r\nThis dropper only has a Base64-encoded string of a binary code in reverse to evade detection. \r\nhttps://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html\r\nPage 5 of 8\n\nFigure 14. Binary in reverse (top) and when decoded (bottom)\r\nFigure 15. Function reversing the byte array to form the correct binary\r\nThe newly created .dll file is an encrypted resource file that is injected into the MS Build process. The file is meticulously\r\nobfuscated, adding an extra layer of complexity for analysts. After inspecting the process’ memory, we found that the\r\nconfiguration information of the injected payload is Base64-encoded and the new process communicates with one of the\r\nthree C\u0026Cs using TCP ports 9090, 9091, or 9092 to download a cryptocurrency miner:\r\n179[.]43[.]155[.]202\r\nwork[.]letmaker[.]top\r\nsu-94[.]letmaker[.]top\r\nhttps://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html\r\nPage 6 of 8\n\nFigure 16. Process injection into msbuild.exe. Screenshot taken with Trend Vision One™\r\nConclusion\r\nlwp-download is a Linux utility present in a number of platforms by default, and 8220 Gang making this a part of any\r\nmalware routine can affect a number of services even if it were reused more than once. Considering the threat actor’s\r\ntendency to reuse tools for different campaigns and abuse legitimate tools as part of the arsenal, organizations’ security\r\nteams might be challenged to find other detection and blocking solutions to fend off attacks that abuse this utility.\r\nAbuse of lwp-download might be expected in the short term for compromise and targeting of other platforms. Despite\r\nreusing old tools and C\u0026C servers, the gang has started targeting Windows systems, and using new file and C\u0026C servers to\r\nevade previous detections. Moreover, while it would also initially seem counterintuitive to use a six-year-old security gap in\r\nan attack, the malicious actor’s scanning activity could have shown systems still vulnerable to the exploit.\r\nConsidering these developments, we find 8220 Gang as a threat to be reckoned with despite other researchers describing\r\nthem as “low-level script kiddies,” and that organizations still have to work on catching up when it comes to updating their\r\nsecurity systems. In the group’s previous deployments, earlier scripts they used were simple, unable to evade detection, and\r\nwere easy to analyze. Over time, it included significantly damaging pieces of malware (such as Tsunami malware) in\r\nrespective campaigns. We will continue monitoring this group and their respective deployments for analysis, detection, and\r\nblocking.\r\nTrend Micro solutions\r\nTrend Cloud One™ - Endpoint Securityproducts and Workload Securityproducts protect endpoints, servers, and cloud\r\nworkloads through unified visibility, management, and role-based access control. These services provide specialized security\r\noptimized for your diverse endpoint and cloud environments, which eliminate the cost and complexity of multiple point\r\nsolutions.\r\nIndicators of Compromise (IOCs)\r\nSHA256\r\nFile\r\nname/Description\r\nDetection\r\nb5fa13d8a03e9a38995e1a087f873e9f2e5d53d8ac713ffb951f62084c810a90 bypass.ps1 Trojan.MSIL.DROPPER.B\r\nURLs and IPs\r\nhttp[:]//79[.]137[.]203[.]156/Ebvjmba.dat\r\nhttp[:]//185[.]17[.]0[.]19/bypass.ps1\r\nhttps://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html\r\nPage 7 of 8\n\nhttp[:]//185[.]17[.]0[.]19/Nmfwg.png\r\n185[.]17[.]0[.]19\r\n194[.]38[.]23[.]170\r\n201[.]71[.]165[.]153\r\n179[.]43[.]155[.]202\r\nWork[.]letmaker[.]top\r\nsu-94[.]letmaker[.]top\r\nMITRE ATT\u0026CK\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html\r\nhttps://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html" ], "report_names": [ "8220-gang-evolution-new-strategies-adapted.html" ], "threat_actors": [ { "id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7", "created_at": "2023-06-23T02:04:34.839947Z", "updated_at": "2026-04-10T02:00:04.99239Z", "deleted_at": null, "main_name": "8220 Gang", "aliases": [ "8220 Mining Group", "Returned Libra", "Water Sigbin" ], "source_name": "ETDA:8220 Gang", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "942c5fbc-31df-4aef-8268-e3ccf6692ec8", "created_at": "2024-07-09T02:00:04.434476Z", "updated_at": "2026-04-10T02:00:03.671196Z", "deleted_at": null, "main_name": "Water Sigbin", "aliases": [ "8220 Gang" ], "source_name": "MISPGALAXY:Water Sigbin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7618565f-b8b8-4e33-b25e-3e89fdc444dd", "created_at": "2023-01-06T13:46:39.434955Z", "updated_at": "2026-04-10T02:00:03.326016Z", "deleted_at": null, "main_name": "Returned Libra", "aliases": [ "8220 Mining Group" ], "source_name": "MISPGALAXY:Returned Libra", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434721, "ts_updated_at": 1775791857, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3d6f14c33e71f44bea4cd45c01d3adbc02bf919a.pdf", "text": "https://archive.orkl.eu/3d6f14c33e71f44bea4cd45c01d3adbc02bf919a.txt", "img": "https://archive.orkl.eu/3d6f14c33e71f44bea4cd45c01d3adbc02bf919a.jpg" } }