Hadooken and K4Spreader: The 8220 Gang's Latest Arsenal
Oct. 1, 2024, 10:21 a.m.
Tags
External References
Description
This analysis uncovers a significant infection chain targeting Windows and Linux systems through Oracle WebLogic vulnerabilities. The attackers, likely the 8220 Gang, exploit CVE-2017-10271 and CVE-2020-14883 to deploy malware including K4Spreader, Tsunami backdoor, and cryptominers. The infection routine differs slightly between Windows and Linux systems but ultimately aims to mine Monero cryptocurrency. The campaign shares many similarities with the previously reported Hadooken case, including attack vectors, payloads, and infrastructure. Victim analysis reveals a focus on cloud environments, particularly in Asia and South America, with 200-250 compromised machines observed. The evolving tactics and global reach of the 8220 Gang highlight their ongoing threat to vulnerable cloud systems.
Date
Published: Oct. 1, 2024, 10:08 a.m.
Created: Oct. 1, 2024, 10:08 a.m.
Modified: Oct. 1, 2024, 10:21 a.m.
Indicators
f6069886728686c5c6566c0332ba37c16805fb623b6fcbbd1dd2e09ee5cc75b1
e68263fcc9b1f8729bba00f63fb5482f069218333a65cf1b0caa0fe6d7ce1ff3
c964791501a48e919446892fe14ed101c27da375668ac7a24de891dc68356f9b
9a5d68ca481091fbfde4d63087a836412bc8805b9a7cae000bd53899b0399e87
7b229b173b32cde47963de2a6e4bfcf243a8646fbf100fb2e379526b42ee4515
5100dbaf942556184928fc0387fb5aab69dc2ef7e77b29db75905329697f2350
11be73a9516ace88b1a0af52e4454f4bc1db514cc2511b3e02318bd8be2bcf09
10c2913361debb5f1db95c170ce2d6892d598d97b9f1f7f76a8bc7b5053e801a
1fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5
80.78.24.30
77.221.151.174
77.221.149.212
51.222.111.116
157.230.29.135
154.213.192.44
198.199.85.230
64.227.170.227
51.255.171.23
https://app.sekoia.io/intelligence/public/objects/indicator--fcc54a5a-3f13-4849-b48e-5197ab901324
https://app.sekoia.io/intelligence/public/objects/indicator--f428ddd8-c478-4e9e-9ebe-03e99877ecfb
https://app.sekoia.io/intelligence/public/objects/indicator--d618f9e9-321f-4762-a551-c9e8be60750e
https://app.sekoia.io/intelligence/public/objects/indicator--bd31bdad-81aa-4b3d-82ab-8f48d7e2380e
https://app.sekoia.io/intelligence/public/objects/indicator--b67815bd-0b13-4d33-a233-0fe38f4f1105
https://app.sekoia.io/intelligence/public/objects/indicator--b4b3e913-a7e8-45e8-882e-48b3df13f4fe
https://app.sekoia.io/intelligence/public/objects/indicator--ae387077-65ff-4658-9631-af8dc6c12b35
https://app.sekoia.io/intelligence/public/objects/indicator--ad184308-53e5-43e6-9011-dea3090ba3f8
https://app.sekoia.io/intelligence/public/objects/indicator--a88b5a35-3390-4fe2-ba0c-ec1a14de842c
https://app.sekoia.io/intelligence/public/objects/indicator--a32e74b4-3694-4f22-b34e-1514b1dd23d9
https://app.sekoia.io/intelligence/public/objects/indicator--9d2ed385-f34d-448f-9e92-055f8a515f25
https://app.sekoia.io/intelligence/public/objects/indicator--9c694b52-bdb7-42ef-8874-4b343e4ac1c5
https://app.sekoia.io/intelligence/public/objects/indicator--820de26f-69eb-4033-8bb4-87b515445a07
https://app.sekoia.io/intelligence/public/objects/indicator--851e33a8-991c-4c2f-a876-2388812bc941
https://app.sekoia.io/intelligence/public/objects/indicator--7c68157e-f858-46bd-8185-f18b9d46a85a
https://app.sekoia.io/intelligence/public/objects/indicator--69493717-a478-4d03-9f6d-addb61651815
https://app.sekoia.io/intelligence/public/objects/indicator--6a4b9f67-2c11-42e9-9aa9-91f3ecf67307
https://app.sekoia.io/intelligence/public/objects/indicator--66d0b708-53b9-431f-bf73-d0eb1801b48b
https://app.sekoia.io/intelligence/public/objects/indicator--5183d833-9391-42d1-b7fc-cae397867ba1
https://app.sekoia.io/intelligence/public/objects/indicator--64e561ba-90fe-484f-97c1-9fe3cf23601e
https://app.sekoia.io/intelligence/public/objects/indicator--45dc5b6d-e7ee-4b0c-85db-ff6225b98fca
https://app.sekoia.io/intelligence/public/objects/indicator--3fc6a2e9-d67e-4cfa-a694-28572f7cc5de
https://app.sekoia.io/intelligence/public/objects/indicator--30b7c383-00bb-41b7-9c88-48a6b4a85488
https://app.sekoia.io/intelligence/public/objects/indicator--2cf6b8fe-fb64-40d8-bbe5-a25eb0f068cf
https://app.sekoia.io/intelligence/public/objects/indicator--1e9facff-c79a-4ad1-8d6b-4b90a7666519
https://app.sekoia.io/intelligence/public/objects/indicator--0e5acc4f-3df6-4dc0-aae2-f424bd1c3b76
https://app.sekoia.io/intelligence/public/objects/indicator--027af819-1ef0-475d-a2cd-2b43357d554f
https://app.sekoia.io/intelligence/public/objects/indicator--0217a6ba-d55b-436b-81d4-efe9d3279fcb
http://154.213.192.44/y
http://154.213.192.44/m1.xml
http://154.213.192.44/m.xml
http://154.213.192.44/goku
http://154.213.192.44/c
http://154.213.192.44/bin.ps1
http://sck-dns.cc/c
http://51.222.111.116:80
http://154.213.192.44/plugin3.dll
http://154.213.192.44/Ueordwfkay.pdf
irc.bashgo.pw
play.sck-dns.cc
sck-dns.cc
run.on-demand.pw
pwn.oracleservice.top
c4k-ircd.pwndns.pw
Attack Patterns
Hadooken
PwnRig
K4Spreader
Tsunami
8220 Gang
T1021.004
T1110
T1018
T1071.001
T1016
T1082
T1105
T1496
T1543
T1569
T1036
T1027
T1053
T1190
T1133
T1078
T1059
CVE-2020-14883
CVE-2023-46604
CVE-2017-10271
Additional Informations
Technology
China
Brazil