Examining Water Sigbin’s Infection Routine Leading to an XMRig Cryptominer | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/f\/water-sigbin-xmrig.html\"><br \/>\n<meta property=\"og:title\" content=\"Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer\"><br \/>\n<meta property=\"og:description\" content=\"We analyze the multi-stage loading technique used by Water Sigbin to deliver the PureCrypter loader and XMRIG crypto miner. \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/sigbin-cover.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer\"><br \/>\n<meta name=\"twitter:description\" content=\"We analyze the multi-stage loading technique used by Water Sigbin to deliver the PureCrypter loader and XMRIG crypto miner. \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/sigbin-cover.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.571694599628\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"698518368\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.7360703812317\">\n<div class=\"article-details\" role=\"heading\" readability=\"38.944281524927\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Exploits & Vulnerabilities<\/p>\n<p class=\"article-details__description\">We analyze the multi-stage loading technique used by Water Sigbin to deliver the PureCrypter loader and XMRIG crypto miner. <\/p>\n<p class=\"article-details__author-by\">By: Ahmed Mohamed Ibrahim , Shubham Singh, Sunil Bharti <time class=\"article-details__date\">June 28, 2024<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\">  <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p>   <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"38.194683908046\">\n<div readability=\"23.206896551724\">\n<h2><span class=\"body-subhead-title\">Summary<\/span><\/h2>\n<ul>\n<li><span class=\"rte-red-bullet\">Water Sigbin continues to exploit CVE-2017-3506 and CVE-2023-21839 to deploy cryptocurrency miners via a PowerShell script.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The threat actor employs fileless execution techniques, using DLL reflective and process injection, allowing the malware code to run solely in memory and avoid disk-based detection mechanisms.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">This blog entry details the multi-stage loading technique that Water Sigbin uses to deliver the PureCrypter loader and XMRig cryptocurrency miner.<\/span><\/li>\n<\/ul>\n<p>Water Sigbin (8220 Gang), a threat actor that focuses on deploying cryptocurrency-mining malware, has also been actively targeting Oracle WebLogic servers. As discussed in our <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/e\/decoding-8220-latest-obfuscation-tricks.html\">previous blog entry<\/a>, we found the threat actor exploiting vulnerabilities in Oracle WebLogic Server, notably <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-3506\">CVE-2017-3506<\/a> and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-21839\">CVE-2023-21839<\/a> to deploy cryptocurrency miners via PowerShell scripts.<\/p>\n<p>In this entry, we will examine the multi-stage loading technique used to deliver the PureCrypter loader and XMRIG crypto miner. All payloads used during this campaign are protected using <i>.Net Reactor<\/i>, a .NET code protection software, to safeguard against reverse engineering. This protection obfuscates the code, making it difficult for defenders to understand and replicate. Additionally, it incorporates anti-debugging techniques. The payload was delivered via the exploitation of CVE-2017-3506. Figure 1 shows the attack payload we observed.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig1.png\" alt=\"Figure 1. Attack payload found during the exploitation of CVE-2017-3506\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 1. Attack payload found during the exploitation of CVE-2017-3506<\/figcaption><\/div>\n<\/figure><\/div>\n<div>\n<div class=\"richText\">\n<div>\n<p><span class=\"body-subhead-title\">Attack diagram<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"323600\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig2.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig2.png\" alt=\"Figure 2. Water Sigbin Attack diagram\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 2. Water Sigbin Attack diagram<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.072443181818\">\n<div readability=\"11.488636363636\">\n<h2><span class=\"body-subhead-title\">Technical analysis<\/span><\/h2>\n<h3><span class=\"body-subhead-title\"><\/span><\/h3>\n<p>Upon successful exploitation of CVE-2017-3506, Water Sigbin deploys a PowerShell script on the compromised machine. This script is responsible for decoding the first stage Base64-encoded payload (in the <i>bin.ps1<\/i> PowerShell Script). In this case, the script we analyzed was not as complicated as the one we observed in <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/e\/decoding-8220-latest-obfuscation-tricks.html\">earlier attacks<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig3.png\" alt=\"Figure 3. The PowerShell Script drops, decodes, and executes the loader\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 3. The PowerShell Script drops, decodes, and executes the loader<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"30.892307692308\">\n<div readability=\"8.6884615384615\">\n<p>The malware drops the initial stage loader in the temporary directory under the name <i>wireguard2-3.exe<\/i> and then executes it. The malware impersonates the legitimate VPN application <a href=\"https:\/\/www.wireguard.com\/\">WireGuard<\/a> to deceive users and AV engines into believing it is genuine software.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig4.png\" alt=\"Figure 4. File properties\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 4. File properties<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"1\">\n<tr>\n<th scope=\"col\">File name<\/th>\n<th scope=\"col\">SHA256<\/th>\n<th scope=\"col\">Size<\/th>\n<th scope=\"col\">Type<\/th>\n<\/tr>\n<tr readability=\"2\">\n<td>wireguard2-3.exe<\/td>\n<td>f4d11b36a844a68bf9718cf720984468583efa6664fc99966115a44b9a20aa33<\/td>\n<td>5.82 MB (6102016 bytes)<\/td>\n<td>EXE<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<p><sup>Table 1. First stage loader details<\/sup><\/p>\n<p>The <i>wireguard2-3.exe<\/i> file is a trojan loader that decrypts, maps, and executes a second-stage payload in memory. The loader dynamically retrieves, loads, and executes another binary from the specified resource <i>Chgnic.Properties.Resources.resources<\/i> (named <i>Qtyocccmt<\/i>), which ultimately resolves to <i>Zxpus.dll<\/i>. By using reflective DLL injection for in-memory execution, the malware significantly enhances its ability to evade detection and effectively carry out its malicious activities.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig5.png\" alt=\"Figure 5. The loader dynamically retrieves, loads, and executes Zxpus.dll\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 5. The loader dynamically retrieves, loads, and executes Zxpus.dll<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"1\">\n<tr>\n<th scope=\"col\">File name<\/th>\n<th scope=\"col\">SHA256<\/th>\n<th scope=\"col\">Size<\/th>\n<th scope=\"col\">Type<\/th>\n<\/tr>\n<tr readability=\"2\">\n<td>Zxpus.dll<\/td>\n<td>0bf87b0e65713bf35c8cf54c9fa0015fa629624fd590cb4ba941cd7cdeda8050<\/td>\n<td>2.7 MB (2859008 bytes)<\/td>\n<td>DLL<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p><sup>Table 2. Second stage loader details<\/sup><\/p>\n<p>The DLL is another trojan loader that dynamically retrieves a binary named <i>Vewijfiv<\/i> from its resources and decrypts it using the AES encryption algorithm with a specified key and IV. The decrypted payload is then decompressed using GZip. After decompression, the payload is deserialized using <i>protobuf-net<\/i>, revealing the loader’s configuration. This configuration includes details such as the process name to be created and the next stage payload in encrypted format. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"2\">\n<tr>\n<th scope=\"col\">AES Key<\/th>\n<th scope=\"col\">AES IV<\/th>\n<\/tr>\n<tr readability=\"4\">\n<td>5D8D6871C3D59D855616603F686713AC48BF2351F6182EA282E1D84CBB15B94F<\/td>\n<td>CAAD009AC0881FE2A89F80CEEA6D1B6<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p><sup>Table 3. The binary AES key and AES IV<\/sup><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig6.png\" alt=\"Figure 6. Zxpus.dll main function\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 6. Zxpus.dll main function<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig7.png\" alt=\"Figure 7. Zxpus.dll decrypts the configuration resource file named \u201cVewijfiv\u201d using the AES encryption algorithm\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 7. Zxpus.dll decrypts the configuration resource file named \u201cVewijfiv\u201d using the AES encryption algorithm<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig8.png\" alt=\"Figure 8. Zxpus.dll decompresses the configuration using GZIP compression\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 8. Zxpus.dll decompresses the configuration using GZIP compression<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The loader creates a new process named <i>cvtres.exe<\/i> in the path <i>C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\cvtres.e<\/i>xe to impersonate a legitimate process. It then uses process injection to load the next stage payload into memory and start the new process.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig9.png\" alt=\"Figure 9. Zxpus.dll creating the cvtres.exe process\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 9. Zxpus.dll creating the cvtres.exe process<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Next, the loader passes the execution to the <i>cvtres.exe<\/i> process, which will be used to load the PureCrypter loader.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"1\">\n<tr>\n<th scope=\"col\">File name<\/th>\n<th scope=\"col\">SHA256<\/th>\n<th scope=\"col\">Size<\/th>\n<th scope=\"col\">Type<\/th>\n<\/tr>\n<tr readability=\"2\">\n<td>cvtres.exe<\/td>\n<td>b380b771c7f5c2c26750e281101873772e10c8c1a0d2a2ff0aff1912b569ab93<\/td>\n<td>700.5 KB (717312 bytes)<\/td>\n<td>EXE<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p><sup>Table 4. Third stage loader details<\/sup><\/p>\n<p>At this stage, the malware decompresses another DLL file using Gzip, then loads the DLL and invokes its main function. The final DLL payload is the PureCrypter loader version V6.0.7D, which registers the victim with the command-and-control (C&C) server and downloads the final payload, which includes the XMRig cryptocurrency miner.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig10.png\" alt=\"Figure 10. Loading and executing the PureCrypter Loader (Tixrgtluffu.dll) using cvtres.exe\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 10. Loading and executing the PureCrypter Loader (Tixrgtluffu.dll) using cvtres.exe<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"2\">\n<tr>\n<th scope=\"col\">File name<\/th>\n<th scope=\"col\">SHA256<\/th>\n<th scope=\"col\">Size<\/th>\n<th scope=\"col\">Type<\/th>\n<\/tr>\n<tr readability=\"4\">\n<td>Tixrgtluffu.dll<\/td>\n<td>2e32c5cea00f8e4c808eae806b14585e8672385df7449d2f6575927537ce8884<\/td>\n<td>1018.0 KB (1042432 bytes)<\/td>\n<td>DLL<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<p><sup>Table 5. Details of the PureCrypter loader<\/sup><\/p>\n<p>Upon execution, the malware decodes its configuration, which contains the mutex value, C&C server Information, and more. Furthermore, the malware employs a <i>mutex name<\/i> (6cbe41284f6a992cc0534b) to ensure that only one instance is running simultaneously.<\/p>\n<p>The following is a sample of the malware configuration:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"2\">\n<tr>\n<th scope=\"col\">Configuration<\/th>\n<th scope=\"col\">Description<\/th>\n<\/tr>\n<tr>\n<td height=\"33\" width=\"267\">89.185.85.102<\/td>\n<td width=\"267\">C&C IP address<\/td>\n<\/tr>\n<tr>\n<td height=\"33\" width=\"267\">god.sck-dns.cc<\/td>\n<td width=\"267\">C&C domain name<\/td>\n<\/tr>\n<tr>\n<td height=\"33\" width=\"267\">amad<\/td>\n<td width=\"267\">Unknown <\/td>\n<\/tr>\n<tr>\n<td height=\"33\" width=\"267\">6cbe41284f6a992cc0534b2<\/td>\n<td width=\"267\">Mutex value<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"33\" width=\"267\">IsSynchronized<\/td>\n<td width=\"267\">Task name\/Filename used for Persistence<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"33\" width=\"267\">Name<\/td>\n<td width=\"267\">Persistence\/Registry directory name<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p><sup>Table 6. Malware configuration<\/sup><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"29f545\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig11.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig11.png\" alt=\"Figure 11. ThePureCrypter loader main function\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 11. ThePureCrypter loader main function<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>The malware can create a scheduled task with the highest privilege that runs 15 seconds after creation and then runs at random intervals between 180 to 360 seconds (approximately 6 minutes) to achieve persistence.<\/p>\n<p>The malware replicates itself as a hidden file named <i>IsSynchronized.exe<\/i> under the hidden path <i>C:\\Users\\$USERNAME$\\AppData\\Roaming\\Name\\<\/i>. The task is registered under the <i>Microsoft\\Windows\\Name <\/i>folder and is configured to run upon system startup or user login.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"2b2ddb\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig12.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig12.png\" alt=\"Figure 12. PureCrypter creates a scheduled task for persistence\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 12. PureCrypter creates a scheduled task for persistence<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig13.png\" alt=\" Figure 13. Scheduled task properties\"> <\/p>\n<div class=\"caption-image-container \"><figcaption> Figure 13. Scheduled task properties<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>In addition, the malware can create a hidden scheduled task with a random task name that executes a PowerShell command. This command adds malware specific files and processes to the Windows Defender’s exclusion list.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"64a87b\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig14.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig14.png\" alt=\"Figure 14. PureCrypter creating a scheduled task for Windows Defender exclusion\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 14. PureCrypter creating a scheduled task for Windows Defender exclusion<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"45\">\n<div readability=\"35\">\n<p>The Base64-econded PowerShell command is as follows:<\/p>\n<p><span class=\"blockquote\">Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGU[… base64 encoded characters …] aQB6AGUAZAAuAGUAeABlAA==<\/span><\/p>\n<p>Meanwhile, its decoded value is:<\/p>\n<p><span class=\"blockquote\">Add-MpPreference -ExclusionPath C:\\Users\\ $USERNAME$ \\AppData\\Roaming\\Name\\IsSynchronized.exe,C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\AddInProcess.exe -Force;<\/span><\/p>\n<p>Add-MpPreference -ExclusionProcess C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\AddInProcess.exe,C:\\Users\\$USERNAME$\\AppData\\Roaming\\Name\\IsSynchronized.exe”<\/p>\n<p>Next, the malware attempts to establish a connection with its C&C server at 89.185.85[.]102:9091. For each victim, the malware generates a unique identifier based on collected hardware information, stores it in a specific format and encrypts it using MD5.<\/p>\n<p>The following is the format of the collected data.<\/p>\n<p><span class=\"blockquote\">[Processor ID]-[Disk Drive Signature]-[Disk Drive Serial Number]- [Baseboard Serial Number]-[Model or Name of GPU]-[Username]<\/span><\/p>\n<p>The following code snippet shows the collection of the aforementioned information:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig15.png\" alt=\"Figure 15. PureCrypter generates a victim ID from system information\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 15. PureCrypter generates a victim ID from system information<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<p>Additionally, the malware collects system information, which includes usernames, installed antivirus software, and CPU information, using Windows Management Instrumentation (WMI) queries. This information is stored in an object class, serialized into a byte sequence, and then encrypted using the TripleDES symmetric-key encryption algorithm. The encryption key is derived from the MD5 hash of the mutex value (6cbe41284f6a992cc0534b). Subsequently, the encrypted data is sent to the C&C server.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"9d0451\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig16.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig16.png\" alt=\"Figure 16. PureCrypter Initializes connection with the C&C server and collects system information\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 16. PureCrypter Initializes connection with the C&C server and collects system information<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig17.png\" alt=\"Figure 17. PureCrypter retrieves installed AV using WMI query\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 17. PureCrypter retrieves installed AV using WMI query<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig18.png\" alt=\"Figure 18. PureCrypter sends encrypted collected data to the C2 server\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 18. PureCrypter sends encrypted collected data to the C2 server<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>The following code snippet illustrates the initial encrypted request containing system information:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig19.png\" alt=\"Figure 19. Initial encrypted request\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 19. Initial encrypted request<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>Meanwhile, the following code snippet illustrates the initial decrypted request:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig20.png\" alt=\"Figure 20. Initial decrypted request\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 20. Initial decrypted request<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<p>Upon successful registration with the C&C server, the C&C server responds with an encrypted message containing the XMRig configuration details, such as the process\u2019s parameters, the mining pooling server, process name, among others. This response is then stored in a registry key.<\/p>\n<p>The code snippet in Figure 21 illustrates the encrypted response, while Figure 22 shows the decrypted content of the response.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig21.png\" alt=\"Figure 21. Encrypted response\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 21. Encrypted response<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig22.png\" alt=\"Figure 22. Decrypted response\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 22. Decrypted response<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The malware stores the decrypted response in a registry key under the subkey path <i>HKEY_CURRENT_USER\\SOFTWARE\\<Victim ID><\/i>. The name of the key is the MD5 hash of the Victim ID.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig23.png\" alt=\"Figure 23. The XMRig configuration stored in the registry key\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 23. The XMRig configuration stored in the registry key<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>Following the receipt of the initial response from the C&C server, the malware downloads an encrypted file named <i>plugin3.dll<\/i>, and saves it in a registry key named after the MD5 hash of the retrieved file.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"3002dd\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig24.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig24.png\" alt=\"Figure 24. PureCrypter downloads Plugin3.dll, which is the final XMRig Payload\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 24. PureCrypter downloads Plugin3.dll, which is the final XMRig Payload<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig25.png\" alt=\"Figure 25. Downloading plugin3.dll (XMRig payload)\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 25. Downloading plugin3.dll (XMRig payload)<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig26.png\" alt=\" Figure 26. Content of plugin3.dll in the registry key\"> <\/p>\n<div class=\"caption-image-container \"><figcaption> Figure 26. Content of plugin3.dll in the registry key<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>The malware proceeds to decrypt the response using the TripleDES algorithm and decompresses it with Gzip.<\/p>\n<p>Next, the loader creates a new process named <i>AddinProcess.exe<\/i> to impersonate a legitimate process. It then uses process injection to load the XMRig payload into memory and starts the new process.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig27.png\" alt=\"Figure 27. Creating the \u201cAddinProcess.exe\u201d process that hosts the XMRig miner\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 27. Creating the \u201cAddinProcess.exe\u201d process that hosts the XMRig miner<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig28.png\" alt=\"Figure 28. Writing the XMRig payload within the \u201cAddinProcess.exe\u201d process and running it\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 28. Writing the XMRig payload within the \u201cAddinProcess.exe\u201d process and running it<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>The final payload is XMRig, a popular open-source mining software that supports multiple operating systems. It has been delivered via the Purecrypter loader through the exploitation of Oracle WebLogic vulnerabilities. XMRig sends a mining login request to a mining pool URL \u201c217.182.205[.]238:8080\u201d and a wallet address \u201cZEPHYR2xf9vMHptpxP6VY4hHwTe94b2L5SGyp9Czg57U8DwRT3RQvDd37eyKxoFJUYJvP5ivBbiFCAMyaKWUe9aPZzuNoDXYTtj2Z.c4k\u201d.<\/p>\n<p>The following image shows a login request sent by XMRig:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig29.png\" alt=\"Figure 29. XMRig login request\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 29. XMRig login request<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>Organizations can protect systems and networks against the exploitation of vulnerabilities by implementing the following cybersecurity best practices and proactive defense measures:<\/p>\n<ul>\n<li><b>Regularly update and patch systems and software<\/b><\/li>\n<li> <span class=\"rte-red-bullet\"> Keep operating systems, applications, and systems firmware up to date with the latest security patches.<\/span><\/li>\n<li><b>Implement robust access controls<\/b><\/li>\n<li> <span class=\"rte-red-bullet\"> Ensure that users and applications only have the minimum level of access necessary to perform their tasks.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Use strong authentication methods such as multi-factor authentication (MFA).<\/span><\/li>\n<li><b>Conduct regular security assessments<\/b><\/li>\n<li><span class=\"rte-red-bullet\"> Regularly scan networks and systems for vulnerabilities.<\/span><\/li>\n<li><b>Conduct security awareness training<\/b><\/li>\n<li> <span class=\"rte-red-bullet\"> Continuously educate employees on relevant security best practices.<br \/> <\/span><\/li>\n<li><span class=\"body-subhead-title\">Trend solutions<\/span><\/li>\n<\/ul>\n<p>The following Vision One execution profile shows the major actives performed via the <i>wireguard2-3.exe<\/i> binary.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"0341ff\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig30.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig30.png\" alt=\"Figure 30. Vision One RCA graph\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 30. Vision One RCA graph<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"321f6e\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig31.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/fig31.png\" alt=\"Figure 31. Workbench detection\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 31. Workbench detection<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"39.397602073882\">\n<div readability=\"23.937783538561\">\n<p>The following text lists potentially useful queries for threat hunting within Vision One:<\/p>\n<p> processName:”*Microsoft.NET\\Framework64*” AND objectCmd:”*–cpu-max-threads-hint*”<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">F8044 – Temporary Binary File Execution via PowerShell<b><u><\/u><\/b><\/span><\/li>\n<li><span class=\"rte-red-bullet\">F2269 – File Delivery via PowerShell<b><u><\/u><\/b><\/span><\/li>\n<li><span class=\"rte-red-bullet\">F4193 – Executable Binary in PowerShell Memory<b><u><\/u><\/b><\/span><\/li>\n<li><span class=\"rte-red-bullet\">F8404 – Cross-Process Injection via CreateRemoteThread<\/span><b><u><\/u><\/b><\/li>\n<\/ul>\n<ul>\n<li><span class=\"rte-red-bullet\">[Heuristic Attribute] Potential Information Gathering Behavior<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Cryptocurrency Mining Command Execution<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Potential Malicious PowerShell Activity Detected<\/span><\/li>\n<\/ul>\n<p>Meanwhile, these protections exist to detect malicious activity and shield Trend customers from the attack discussed in this blog entry:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">1010550 – Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability (CVE-2017-3506)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">1011716 – Oracle Weblogic Server Insecure Deserialization Vulnerability (CVE-2023-21839)<\/span><\/li>\n<\/ul>\n<p>The Water Sigbin (aka 8220 Gang) threat actor has demonstrated a sophisticated multistage loading technique used to deliver the XMRIG crypto miner, showcasing its expertise and use advanced tactics and techniques. By exploiting Oracle WebLogic server vulnerabilities, deploying cryptocurrency miners, and employing anti-debugging measures such as code obfuscation and .Net Reactor protection, this threat actor highlights its ability to evade detection and compromise systems. This campaign emphasizes the importance of robust security measures and vigilance in monitoring new threats.<b><\/b><\/p>\n<p>The indicators of compromise can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/f\/water-sigbin-xmrig\/ioc-examining-water-sigbin-Infection-routine-leading-to-an-xmrig-cryptominer.txt\">here<\/a>.<\/p>\n<p><span class=\"body-subhead-title\">MITRE ATT&CK Techniques<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"12\">\n<tr>\n<th scope=\"col\">Tactic<\/th>\n<th scope=\"col\">Technique<\/th>\n<th scope=\"col\">Technique ID<\/th>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"33\" width=\"267\">Initial Access<\/td>\n<td width=\"267\">Exploit Public-Facing Application<\/td>\n<td width=\"267\">T1190<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td rowspan=\"2\" height=\"66\" width=\"267\">Execution <\/td>\n<td width=\"267\">Command and Scripting Interpreter: PowerShell<\/td>\n<td width=\"267\">T1059.001<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"33\" width=\"267\">Windows Management Instrumentation<\/td>\n<td width=\"267\">T1047<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td rowspan=\"6\" height=\"198\" width=\"267\">Defense Evasion <\/td>\n<td width=\"267\">Masquerading: Match Legitimate Name or Location<\/td>\n<td width=\"267\">T1036.005<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"33\" width=\"267\">Deobfuscate\/Decode Files or Information<\/td>\n<td width=\"267\">T1140<\/td>\n<\/tr>\n<tr>\n<td height=\"33\" width=\"267\">Modify Registry<\/td>\n<td width=\"267\">T1112<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"33\" width=\"267\">Impair Defenses: Disable or Modify Tools<\/td>\n<td width=\"267\">T1562.001<\/td>\n<\/tr>\n<tr>\n<td height=\"33\" width=\"267\">Reflective Code Loading<\/td>\n<td width=\"267\">T1620<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"33\" width=\"267\">Process Injection: Process Hollowing<\/td>\n<td width=\"267\">T1055.012<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"33\" width=\"267\">Persistence<\/td>\n<td width=\"267\">Scheduled Task\/Job: Scheduled Task<\/td>\n<td width=\"267\">T1053.005<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"4\" height=\"132\" width=\"267\">Discovery<\/td>\n<td width=\"267\">Process Discovery<\/td>\n<td width=\"267\">T1057<\/td>\n<\/tr>\n<tr>\n<td height=\"33\" width=\"267\">Query Registry<\/td>\n<td width=\"267\">T1012<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"33\" width=\"267\">Software Discovery: Security Software Discovery<\/td>\n<td width=\"267\">T1518.001<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"33\" width=\"267\">System Information Discovery<\/td>\n<td width=\"267\">T1082<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td rowspan=\"4\" height=\"132\" width=\"267\">Command and Control<\/td>\n<td width=\"267\">Application Layer Protocol<\/td>\n<td width=\"267\">T1071<\/td>\n<\/tr>\n<tr>\n<td height=\"33\" width=\"267\">Data Obfuscation<\/td>\n<td width=\"267\">T1001<\/td>\n<\/tr>\n<tr>\n<td height=\"33\" width=\"267\">Non-Standard Port<\/td>\n<td width=\"267\">T1571<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"33\" width=\"267\">Non-Application Layer Protocol<\/td>\n<td width=\"267\">T1095<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>  <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/f\/water-sigbin-xmrig.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We analyze the multi-stage loading technique used by Water Sigbin to deliver the PureCrypter loader and XMRIG crypto miner. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9520,9511,9555,9513,9509],"class_list":["post-56427","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cloud","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"\n<title>Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-06-28T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/sigbin-cover:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Examining Water Sigbin’s Infection Routine Leading to an XMRig Cryptominer\",\"datePublished\":\"2024-06-28T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\\\/\"},\"wordCount\":2150,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/sigbin-cover:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cloud\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Exploits&Vulnerabilities\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\\\/\",\"name\":\"Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/sigbin-cover:Large?qlt=80\",\"datePublished\":\"2024-06-28T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/sigbin-cover:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/sigbin-cover:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Examining Water Sigbin’s Infection Routine Leading to an XMRig Cryptominer\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\/","og_locale":"en_US","og_type":"article","og_title":"Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-06-28T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/sigbin-cover:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Examining Water Sigbin’s Infection Routine Leading to an XMRig Cryptominer","datePublished":"2024-06-28T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\/"},"wordCount":2150,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/sigbin-cover:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cloud","Trend Micro Research : Cyber Threats","Trend Micro Research : Exploits&Vulnerabilities","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\/","url":"https:\/\/www.threatshub.org\/blog\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\/","name":"Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/sigbin-cover:Large?qlt=80","datePublished":"2024-06-28T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/sigbin-cover:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/sigbin-cover:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Examining Water Sigbin’s Infection Routine Leading to an XMRig Cryptominer"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56427","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=56427"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56427\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=56427"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=56427"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=56427"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":56427,"date":"2024-06-28T00:00:00","date_gmt":"2024-06-28T00:00:00","guid":{"rendered":"urn:uuid:a871ee9b-84e0-a340-ad08-392b3c94dc5f"},"modified":"2024-06-28T00:00:00","modified_gmt":"2024-06-28T00:00:00","slug":"examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/examining-water-sigbins-infection-routine-leading-to-an-xmrig-cryptominer\/","title":{"rendered":"Examining Water Sigbin’s Infection Routine Leading to an XMRig Cryptominer"},"content":{"rendered":"