Security researchers at Fortinet FortiGuard Labs have discovered that a group of 8220 Gang cryptominers are delivering the new ScrubCrypt crypter to systems and then cryptojacking. The chain of attacks begins by exploiting vulnerable Oracle WebLogic servers to load a PowerShell script containing ScrubCrypt.
ScrubCrypt comes with the ability to bypass Windows Defender protection, as well as checking for a debugging environment and a virtual machine. ScrubCrypt is an encryptor used to secure applications using the unique BAT packaging method.
ScrubCrypt at the final stage decodes and loads the miner payload into memory, and then starts the mining process.
Experts describe 8220 participants as low-skilled financially motivated hackers who infiltrate AWS, Azure, GCP, Alitun and QCloud hosts using vulnerabilities in Docker, Redis, Confluence and Apache. In addition, the group has its own cryptominer called PwnRig, based on the XMRig miner. PwnRig uses a fake FBI subdomain with an IP address pointing to a Brazilian government resource.