It is highly recommended to make sure all systems are fully up-to-date on patching, particularly systems that are externally facing. It appears that the threat actors are exploiting an Oracle WebLogic vulnerability from 2017, dubbed CVE-2017-10271, to establish an initial foothold in the environment. Newer versions of Oracle WebLogic are no longer vulnerable to this, so upgrading to the latest version is recommended to help prevent this attack. Likewise, implementing and maintaining endpoint security controls, such as an EDR, is recommended to help prevent malicious activity from compromising the system. In cases where prevention does not occur, detection can be beneficial to alert analysts to a potential infection. The infection chain seen in this campaign exhibits a number of behaviors that can be considered suspicious. PowerShell creating unauthorized Windows Defender exclusions, web processes launching a PowerShell script, and abnormal VBS and BAT files being created in the root of the AppData\Roaming directory are all behaviors that can be potential signs of infection. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.
https://thehackernews.com/2023/03/new-scrubcrypt-crypter-used-in.html
https://www.fortinet.com/blog/threat-research/old-cyber-gang-uses-new-crypter-scrubcrypt
