The cyber threat group known as the “8220 Gang” has recently been identified as targeting vulnerable Oracle Weblogic Servers with a new payload. Security researchers at Fortinet have analyzed this payload and discovered that it contains ScrubCrypt, a type of malware designed to obfuscate and encrypt applications in order to avoid detection by security software.
According to Fortinet senior antivirus analyst Cara Lin, the 8220 Gang first emerged in 2017 and is named after its original use of port 8220 for network communications. The group has recently updated ScrubCrypt to include capabilities that allow it to bypass Windows Defender and evade detection by antivirus programs. Fortinet’s analysis of the malware revealed that each payload is slightly different, indicating that the group is continuously evolving their tactics.
Lin also noted that the crypto wallet address and server IP address used in these attacks have been linked to the 8220 Gang in the past, further solidifying the connection to the threat group. The 8220 Gang is known for leveraging public file-sharing websites and exploiting system vulnerabilities to gain access to victims’ environments.
Microsoft issued a warning against the 8220 Gang in July 2022, highlighting the group’s malicious activities. Users are advised to stay vigilant and keep their systems updated with the latest patches to protect against threats from the 8220 Gang.
In light of these developments, it is crucial for organizations to enhance their cybersecurity measures and remain proactive in identifying and mitigating potential threats. By staying informed about the latest tactics used by threat actors like the 8220 Gang, businesses can better protect their sensitive data and infrastructure from cyber attacks.