In July of 2022 we reported on 8220 Gang, one of the many low-skill crimeware gangs we observe infecting cloud hosts through known vulnerabilities and remote access brute forcing infection vectors. We noted that 8220 Gang had expanded its cloud service botnet to an estimated 30,000 hosts globally.
In recent weeks, the group has rotated its attack infrastructure and continued to absorb compromised hosts into its botnet and to distribute cryptocurrency mining malware.
Misconfiguration Key to Infection Attempts
Exploit attempts from 8220 Gang continue at a pace consistent with our previous reporting. The majority of active victims are still operating outdated or misconfigured versions of Docker, Apache, WebLogic, and various Log4J vulnerable services.
8220 Gang identifies targets via scanning for misconfigured or vulnerable hosts on the public internet. Victims are typically using cloud infrastructure such as AWS, Azure and similar with misconfigured instances that allow remote attackers to gain access. Publicly-accessible hosts running Docker, Confluence, Apache WebLogic, and Redis can easily be discovered and attacked with little technical know-how. 8220 Gang is known to make use of SSH brute force attacks post-infection for the purposes of lateral movement inside a compromised network.
The top victims recently communicating as miner bots are exposed Ubiquiti Unifi Cloud Keys running outdated Network Controller software or Prometheus container monitoring systems. The vulnerabilities exploited are usually far from fresh – such as with CVE-2019-2725 – the Oracle Weblogic vulnerability being exploited to download the installer script, e.g., 871f38fd4299b4d94731745d8b33ae303dcb9eaa. The objective of the infection attempts continues to be growing the botnet and expanding cryptocurrency hosts mining when possible.
8220 Gang Leverages PureCrypter
We have observed 8220 Gang using the PureCrypter Malware-as-a-service. PureCrypter is a loader service available for a low cost since 2021 and has been observed distributing a large variety of commodity malware. Windows systems targeted by 8220 Gang have been served by the PureCrypter downloader through the group’s traditional C2 infrastructure, most commonly
89.34.27[.]167. The downloader then beacons back following the injectors image extension URLs. The use of Discord URLs can also be observed for the download of illicit minors.
One clear example is the miner
ee6787636ea66f0ecea9fa2a88f800da806c3ea6 being delivered post-compromise. This loader beacons to Discord:
833cbeb0e748860f41b4f0192502b817a09eff6a, ultimately beginning cryptomining on the victim host.
It is unsurprising to discover 8220 Gang experimenting with new loaders and miners alongside their traditional exploitation attempts against publicly exposed services. As the threat landscape evolves, we can expect threat actors to seek new methods to thwart defenses, hide their campaigns, and generally attempt to increase attack success. This is simply a new iteration of 8220 Gang attempting to do so.
Since July, 8220 Gang shifted to using
89.34.27[.]167, and then in early September 2022 rotated its infrastructure to
79.110.62[.]23, primarily relying on two previously reported domains
8220 Gang also makes use of a miner proxy at 51.79.175[.]139. Hosts infected with illicit miners will communicate with the proxy as it acts as a pool to combine resources and avoid analysis of their cumulative mining metrics.
Thriving Abuse of Amateur Tooling
As we’ve reported in the past, the scripts, miners, and infrastructure surrounding the campaigns of 8220 Gang stem from the general reuse of known tools. “Script Kiddies” may be a more industry appropriate name. Analysis of the tools and vulnerabilities at a high level reveals a much wider set of illicit activity.
For example, through GreyNoise data we can see how common CVE-2019-2725 crawlers are over the last 30 days. 8220 Gang and other attackers make use of scanning for and exploiting similar n-day vulnerabilities with success. One theory may be that these types of attackers seek out easy to compromise systems like this as they are unlikely to be remediated quickly since they are not even meeting common updating practices. These attackers are operating with success, regardless of the state of vulnerability management. One could consider such attacks to be bottom feeders of targeting perhaps.
The loader script is also incredibly common to observe through publicly accessible hosts and honeypots running common cloud services. The script has evolved greatly even in a single year, with many variants, and it is no longer useful tracking as a single name (e.g., Carbine Loader). For example, searching VirusTotal for any shell scripts containing the go-to uninstall commands for common cloud security tools, plus unique variable names, leads to hundreds of recent results. 8220 Gang is only one of many abusing the same scripts to keep their botnets alive.
8220 Gang continues their botnet proliferation efforts, rotating to new infrastructure. The group continues to make use of the same mining proxy server, and defenders should investigate any continual traffic to that destination. Additionally, with the experimentation with PureCrypter MaaS, the group has clearly attempted to evolve their attack efforts. As cloud infrastructure and common publicly accessible services remain vulnerable, we expect 8220 Gang to continue growing into the future.
Indicators of Compromise
126.96.36.199 (From July into September 2022)
188.8.131.52 (Primary since September 2022)
184.108.40.206 (Miner Proxy)
220.127.116.11 (Miner Proxy)
File Hashes SHA1
871f38fd4299b4d94731745d8b33ae303dcb9eaa (CVE-2019-2725 example)