Microsoft says it has spotted “notable updates” for malware that targets Linux servers to install cryptominer malware.
Microsoft has cited recent work by the so-called “8220 gang” group, which has recently been spotted exploiting the critical bug affecting Atlassian Confluence Server and Data Center, tracked as CVE-2022-26134.
“The group has been actively updating its techniques and payloads over the past year. The most recent campaign targets i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic ) for the first access” Notes on Microsoft’s Security Intelligence Center†
“The updates include the deployment of new versions of a cryptominer and an IRC bot, as well as the use of an exploit for a recently revealed vulnerability,” Microsoft warned.
Atlassian revealed the bug on June 2nd and within a week, security firm Check Point discovered the 8220 gang used the Atlassian bug to install malware on Linux systems. The group also targeted Windows systems that used the Atlassian bug to inject a script into a PowerShell memory process.
CISA had already warned federal agencies to patch it by June 6 and until then, block all Internet access to the product.
The 8220 gang has been active since 2017, according to Cisco’s Talos Intelligence group, who described it as a Chinese-speaking, Monero-mining threat actor whose C2s often communicate over port 8220, thus earning his name. At that stage, they targeted Apache Struts2 and Docker image vulnerabilities to compromise corporate servers.
According to Microsoft, after gaining initial access through CVE-2022-26134, the 8220 gang downloads a loader to the system that changes configurations to disable security services, downloads a cryptominer, establishes persistence on a network, and then ports on the network to find other servers.
Microsoft is warning administrators to enable Defender for Endpoint tamper protection settings because the loader clears log files and disables cloud monitoring and security tools.
The loader downloads the pwnRig cryptominer (v1.41.9) and an IRC bot executes commands from a C2 server. It survives a reboot by creating schedule tasks via a cronjob or a script that runs every 60 seconds as a nohup or “no hangup” command.
The loader uses the IP port scanner tool “masscan” to find other SSH servers in the network and then uses the GoLang based SSH brute force tool “spirit” to proliferate. It also scans the local disk for SSH keys to move sideways by connecting to known hosts,” explains Microsoft.