Hadooken and K4Spreader: The 8220 Gang's Latest Arsenal

Oct. 1, 2024, 10:21 a.m.

Description

This analysis uncovers a significant infection chain targeting Windows and Linux systems through Oracle WebLogic vulnerabilities. The attackers, likely the 8220 Gang, exploit CVE-2017-10271 and CVE-2020-14883 to deploy malware including K4Spreader, Tsunami backdoor, and cryptominers. The infection routine differs slightly between Windows and Linux systems but ultimately aims to mine Monero cryptocurrency. The campaign shares many similarities with the previously reported Hadooken case, including attack vectors, payloads, and infrastructure. Victim analysis reveals a focus on cloud environments, particularly in Asia and South America, with 200-250 compromised machines observed. The evolving tactics and global reach of the 8220 Gang highlight their ongoing threat to vulnerable cloud systems.

External References

https://raw.githubusercontent.com/SEKOIA-IO/Community/refs/heads/main/IOCs/8220Gang/8220_Gang_iocs_20242409.csv
https://blog.sekoia.io/hadooken-and-k4spreader-the-8220-gangs-latest-arsenal/
https://otx.alienvault.com/pulse/66fbca06ce8a8a133558de46
Tags
china
botnet
cryptomining
brazil
pwnrig
tsunami
k4spreader
weblogic
hadooken
2024-10-01
CVE-2017-10271
CVE-2020-14883

Date

  • Created: Oct. 1, 2024, 10:08 a.m.
  • Published: Oct. 1, 2024, 10:08 a.m.
  • Modified: Oct. 1, 2024, 10:21 a.m.

Indicators

  • f6069886728686c5c6566c0332ba37c16805fb623b6fcbbd1dd2e09ee5cc75b1
  • e68263fcc9b1f8729bba00f63fb5482f069218333a65cf1b0caa0fe6d7ce1ff3
  • c964791501a48e919446892fe14ed101c27da375668ac7a24de891dc68356f9b
  • 9a5d68ca481091fbfde4d63087a836412bc8805b9a7cae000bd53899b0399e87
  • 7b229b173b32cde47963de2a6e4bfcf243a8646fbf100fb2e379526b42ee4515
  • 5100dbaf942556184928fc0387fb5aab69dc2ef7e77b29db75905329697f2350
  • 11be73a9516ace88b1a0af52e4454f4bc1db514cc2511b3e02318bd8be2bcf09
  • 10c2913361debb5f1db95c170ce2d6892d598d97b9f1f7f76a8bc7b5053e801a
  • 1fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5
  • 80.78.24.30
  • 77.221.151.174
  • 77.221.149.212
  • 51.222.111.116
  • 157.230.29.135
  • 154.213.192.44
  • 198.199.85.230
  • 64.227.170.227
  • 51.255.171.23
  • https://app.sekoia.io/intelligence/public/objects/indicator--fcc54a5a-3f13-4849-b48e-5197ab901324
  • https://app.sekoia.io/intelligence/public/objects/indicator--f428ddd8-c478-4e9e-9ebe-03e99877ecfb
  • https://app.sekoia.io/intelligence/public/objects/indicator--d618f9e9-321f-4762-a551-c9e8be60750e
  • https://app.sekoia.io/intelligence/public/objects/indicator--bd31bdad-81aa-4b3d-82ab-8f48d7e2380e
  • https://app.sekoia.io/intelligence/public/objects/indicator--b67815bd-0b13-4d33-a233-0fe38f4f1105
  • https://app.sekoia.io/intelligence/public/objects/indicator--b4b3e913-a7e8-45e8-882e-48b3df13f4fe
  • https://app.sekoia.io/intelligence/public/objects/indicator--ae387077-65ff-4658-9631-af8dc6c12b35
  • https://app.sekoia.io/intelligence/public/objects/indicator--ad184308-53e5-43e6-9011-dea3090ba3f8
  • https://app.sekoia.io/intelligence/public/objects/indicator--a88b5a35-3390-4fe2-ba0c-ec1a14de842c
  • https://app.sekoia.io/intelligence/public/objects/indicator--a32e74b4-3694-4f22-b34e-1514b1dd23d9
  • https://app.sekoia.io/intelligence/public/objects/indicator--9d2ed385-f34d-448f-9e92-055f8a515f25
  • https://app.sekoia.io/intelligence/public/objects/indicator--9c694b52-bdb7-42ef-8874-4b343e4ac1c5
  • https://app.sekoia.io/intelligence/public/objects/indicator--820de26f-69eb-4033-8bb4-87b515445a07
  • https://app.sekoia.io/intelligence/public/objects/indicator--851e33a8-991c-4c2f-a876-2388812bc941
  • https://app.sekoia.io/intelligence/public/objects/indicator--7c68157e-f858-46bd-8185-f18b9d46a85a
  • https://app.sekoia.io/intelligence/public/objects/indicator--69493717-a478-4d03-9f6d-addb61651815
  • https://app.sekoia.io/intelligence/public/objects/indicator--6a4b9f67-2c11-42e9-9aa9-91f3ecf67307
  • https://app.sekoia.io/intelligence/public/objects/indicator--66d0b708-53b9-431f-bf73-d0eb1801b48b
  • https://app.sekoia.io/intelligence/public/objects/indicator--5183d833-9391-42d1-b7fc-cae397867ba1
  • https://app.sekoia.io/intelligence/public/objects/indicator--64e561ba-90fe-484f-97c1-9fe3cf23601e
  • https://app.sekoia.io/intelligence/public/objects/indicator--45dc5b6d-e7ee-4b0c-85db-ff6225b98fca
  • https://app.sekoia.io/intelligence/public/objects/indicator--3fc6a2e9-d67e-4cfa-a694-28572f7cc5de
  • https://app.sekoia.io/intelligence/public/objects/indicator--30b7c383-00bb-41b7-9c88-48a6b4a85488
  • https://app.sekoia.io/intelligence/public/objects/indicator--2cf6b8fe-fb64-40d8-bbe5-a25eb0f068cf
  • https://app.sekoia.io/intelligence/public/objects/indicator--1e9facff-c79a-4ad1-8d6b-4b90a7666519
  • https://app.sekoia.io/intelligence/public/objects/indicator--0e5acc4f-3df6-4dc0-aae2-f424bd1c3b76
  • https://app.sekoia.io/intelligence/public/objects/indicator--027af819-1ef0-475d-a2cd-2b43357d554f
  • https://app.sekoia.io/intelligence/public/objects/indicator--0217a6ba-d55b-436b-81d4-efe9d3279fcb
  • http://154.213.192.44/y
  • http://154.213.192.44/m1.xml
  • http://154.213.192.44/m.xml
  • http://154.213.192.44/goku
  • http://154.213.192.44/c
  • http://154.213.192.44/bin.ps1
  • http://sck-dns.cc/c
  • http://51.222.111.116:80
  • http://154.213.192.44/plugin3.dll
  • http://154.213.192.44/Ueordwfkay.pdf
  • irc.bashgo.pw
  • play.sck-dns.cc
  • sck-dns.cc
  • run.on-demand.pw
  • pwn.oracleservice.top
  • c4k-ircd.pwndns.pw
Download all indicators here!

Attack Patterns

  • Hadooken
  • PwnRig
  • K4Spreader
  • Tsunami
  • 8220 Gang

Additional Informations

  • Technology
  • China
  • Brazil

Linked vulnerabilities

CVE-2017-10271

None
Published:

CVE-2020-14883

None
Published:

CVE-2023-46604

None
Published: