Pierluigi Paganini July 21, 2022

The crimeware group known as 8220 Gang expanded over the last month their Cloud Botnet to roughly 30,000 hosts globally. 

Researchers from SentinelOne reported that low-skill crimeware 8220 Gang has expanded their Cloud Botnet over the last month to roughly 30,000 hosts globally. 

The gang focuses on infecting cloud hosts to deploy cryptocurrency miners by exploiting known vulnerabilities and conducting brute-force attacks.

The 8220 group has been active since at least 2017, the threat actors are Chinese-speaking and the names of the group come from the port number 8220 used by the miner to communicate with the C2 servers.

According to Microsoft researchers, the group has actively updated its techniques and payloads over the last year. In a recent campaign, the group targeted i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Atlassian Confluence) and CVE-2019-2725 (WebLogic) for initial access.

The experts reported that the cryptomining gang used a version of the IRC botnet, PwnRig cryptocurrency miner (PwnRig is a custom version of the open source XMRig miner), and a generic infection script in a recent campaign.

This month, the experts noticed that the number of infected hosts passed from 2000 to around 30,000.

The growth is linked to the increased use of Linux and common cloud application vulnerabilities and poorly secured configurations for services such as Docker, Apache WebLogic, and Redis.

“While the group has operated for years, by mid 2021, the botnet was observed operating with roughly 2000 hosts globally. This month, we observed new campaigns utilizing long-running sets of infrastructure, bringing the botnet numbers up to today’s figure of around 30,000 infected hosts.” reads the post published by the experts. “The infection script acts as the main code for the botnet to operate. Despite its lack of detection evasion or obfuscation, the script appears to be highly effective at infecting targets.”

The infection script is the core component of bot, below is the list of actions it carries out:

1. Victim host preparation and cleanup, including the removal of common cloud security tools.
2. IRC Botnet malware and miner download/configuration and remediation persistence.
3. Tsunami IRC Botnet malware sample validation and connectivity.
4. Internal network SSH scanner with lateral spreading capability.
5. PwnRig cryptocurrency miner execution.
6. Local SSH key collection, connectivity testing, and lateral spreading.

The 8220 Gang selects victims by identifying them through their internet accessibility.

The latest versions of the infection script use block lists to avoid infecting specific hosts, such as researcher honeypots. 

“Over the past few years 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to expand a botnet and illicit cryptocurrency miner. From our observations the group has made changes over the recent weeks to expand the botnet to nearly 30,000 victims globally.” concludes the report. “PwnRig, the IRC Botnet, and generic infection script are all incredibly simple and used opportunistically in the groups targeting.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, 8220 Gang)

[adrotate banner=”5″]

[adrotate banner=”13″]