Water Sigbin exploits CVE-2017-3506 to gain initial access, deploying a PowerShell script on the compromised machine. This script decodes and executes the first stage payload, named wireguard2-3.exe, in the temporary directory. The malware masquerades as a legitimate VPN application (WireGuard) to deceive users and antivirus engines.
The malware employs a multi-stage loading technique. In the first stage, the loader (wireguard2-3.exe) decrypts and executes a second-stage payload (Zxpus.dll) directly in memory. This process significantly enhances the malware's ability to evade detection. The second stage involves Zxpus.dll decrypting and decompressing a configuration resource using AES encryption and Gzip compression. It then creates a new process (cvtres.exe) to load the third stage payload, the PureCrypter loader.
In the third stage, the PureCrypter loader decompresses and executes the final payload, the XMRig cryptocurrency miner. The malware uses advanced techniques such as reflective DLL injection and process injection to execute solely in memory. Additionally, it establishes persistence through scheduled tasks and modifies Windows Defender exclusions to evade detection further.