- 8220 Gang has steadily improved their simple, yet powerful, Linux infection scripts to expand a botnet and prohibited cryptocurrency miners.
- The group has made changes to expand the botnet to nearly 30,000 victims globally.
- PwnRig, the IRC Botnet, and the generic infection script are all incredibly simple and used opportunistically in group targeting.
In a blog post, the technology monitoring division of SentinelOne, SentinelLabs, published its findings about a new campaign started by 8220 Gang. According to analysis and observation, the criminal group uses an infection script that acts as the main code for the botnet to run. The script is badly coded and usually contains unused or outdated functions, allowing trivial tracking over time.
8220 Gang uses new methods
Also known as 8220 Mining Group, 8220 Gang, was first publicly reported by Talos in 2018. The name comes from the group’s original use of port 8220 for C2 network communications. The 8220 Gang targets the victims who are typically, but not entirely, users of cloud networks operating unprotected and misconfigured Linux applications and services. The cloud infrastructures AWS, Azure, GCP, Aliyun, and QCloud are often infected via publicly accessible hosts running Docker, Confluence, Apache WebLogic, and Redis.
In the new campaign, observed and analyzed by SentinelLabs researchers, the group is utilizing long-running sets of infrastructure, bringing the botnet numbers to approximately 30,000 infected hosts. They use new tactics to the current script to expand their botnet. And it appears to be highly effective at infecting targets despite its lack of detection evasion mechanisms. The crimeware group makes use of a new version of the IRC botnet, PwnRig cryptocurrency miner, and its generic infection script. The script’s actions are below;
- Victim host preparation and cleanup, including the removal of common cloud security tools.
- IRC Botnet malware and miner download/configuration and remediation persistence.
- Tsunami IRC Botnet malware sample validation and connectivity.
- Internal network SSH scanner with lateral spreading capability.
- PwnRig cryptocurrency miner execution.
- Local SSH key collection, connectivity testing, and lateral spreading.
In late June 2022, the group started making use of a separate file they name “Spirit” applied for using SSH brute forcing functionality outside the main script. Spirit contains a list of nearly 450 hardcoded credentials harmonizing to a wide range of root usernames, and default Linux device and application passwords. To avoid honeypot traps used by researchers, 8220 Gang makes use of block lists in the infection script.
For its cybercrime campaign, 8220 Gang uses an updated PwnRig Miner that is a custom XMRig miner. PwnRig can make fake pool requests for government domains, including Brazil’s federal government domain.