A group of cloud threat actors tracked as 8220 has updated its malware toolkit to hack Linux servers with the goal of installing crypto miners as part of a long-running campaign.
“The updates include the deployment of new versions of the crypto miner and the IRC bot ,” Microsoft Security Intelligence said in a series of tweets on Thursday .
8220, active since early 2017, is a Chinese-speaking threat actor, Monero so named because of its preference for communicating with Command and Control (C2) servers over port 8220. He is also the developer of a tool called whatMiner, which has been acquired by the Rocke cybercrime group. in their attacks.
In July 2019, the Alibaba Cloud Security team revealed a further shift in adversary tactics, citing its use of rootkits to hide mining software. Two years later, the gang resurfaced with variants of the Tsunami IRC botnet and the “PwnRig” agent.
Now according to Microsoft, it has been observed that the latest i686 and x86_64 Linux campaign is being used as a weapon in remote code execution for the Atlassian Confluence Server (CVE-2022-26134) and Oracle WebLogic (CVE-2019-2725) for initial access.
This step succeeds by recovering the malware uploader from a remote server designed to bring down the PwnRig miner and IRC bot, but not before taking steps to avoid detection by clearing log files and disabling cloud monitoring and security software.