Microsoft has issued a warning in light of recent attempts by the “8220” malware group to infiltrate Linux computers and set up software for cryptomining. In order to install cryptominer malware on Linux systems, Microsoft claims to have discovered “notable changes” to the virus.
The so-called “8220 gang” organisation has come under fire from Microsoft for recent work that was discovered to be exploiting the serious problem affecting Atlassian Confluence Server and Data Center, identified as CVE-2022-26134.
“Over the last year, the organisation has actively upgraded its payloads and procedures. The most recent campaign employs RCE vulnerabilities for CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic) to get access to i686 and x86 64 Linux computers, respectively “According to Microsoft’s Security Intelligence Centre.
Microsoft issued a warning: “The upgrades install new versions of a cryptominer and an IRC bot and make use of an exploit for a newly reported vulnerability.”
Security company Check Point found that the 8220 gang was utilising the Atlassian weakness to install malware on Linux computers within a week after the bug’s disclosure by Atlassian on June 2. By injecting a script into a PowerShell memory process exploiting the Atlassian bug, the organisation was also focusing on Windows computers.
Federal organisations had already been told by CISA to patch the issue by June 6 and to prohibit all internet access to the product in the meantime.
The 8220 gang is a Chinese-speaking, Monero-mining threat actor whose C2’s frequently interact through port 8220, hence its name. According to Cisco’s Talos Intelligence division, it has been active since 2017. At that time, they were trying to attack corporate systems by exploiting vulnerabilities in Docker and Apache Struts2.
Microsoft claims that after the 8220 gang successfully exploits CVE-2022-26134 to gain access to a system, it downloads a loader that modifies the system’s settings to turn off security services, instals a cryptominer, establishes persistence on a network, and then scans ports on the network to find additional servers.
Because the loader deletes log files and disables security and monitoring capabilities in the cloud, Microsoft advises administrators to enable Defender for Endpoint tamper protection settings.
The pwnRig cryptominer (v1.41.9) is downloaded by the loader, and an IRC bot uses a C2 server to execute instructions. It maintains functionality after a reboot by setting up cronjobs or scripts that execute nohup or “no hangup” commands every 60 seconds.
“The loader searches the network for additional SSH servers using the IP port scanner tool “masscan,” and then propagates by using the GoLang-based SSH brute force tool “spirit.” Additionally, it searches the local disc for SSH keys so that it may connect to known hosts and migrate laterally “Google says.