SecuriTricks - Attack Report

External References

Description

This analysis uncovers a significant infection chain targeting Windows and Linux systems through Oracle WebLogic vulnerabilities. The attackers, likely the 8220 Gang, exploit CVE-2017-10271 and CVE-2020-14883 to deploy malware including K4Spreader, Tsunami backdoor, and cryptominers. The infection routine differs slightly between Windows and Linux systems but ultimately aims to mine Monero cryptocurrency. The campaign shares many similarities with the previously reported Hadooken case, including attack vectors, payloads, and infrastructure. Victim analysis reveals a focus on cloud environments, particularly in Asia and South America, with 200-250 compromised machines observed. The evolving tactics and global reach of the 8220 Gang highlight their ongoing threat to vulnerable cloud systems.

Date

Published	Created	Modified
Oct. 1, 2024, 10:08 a.m.	Oct. 1, 2024, 10:08 a.m.	Oct. 1, 2024, 10:21 a.m.

Indicators

f6069886728686c5c6566c0332ba37c16805fb623b6fcbbd1dd2e09ee5cc75b1

e68263fcc9b1f8729bba00f63fb5482f069218333a65cf1b0caa0fe6d7ce1ff3

c964791501a48e919446892fe14ed101c27da375668ac7a24de891dc68356f9b

9a5d68ca481091fbfde4d63087a836412bc8805b9a7cae000bd53899b0399e87

7b229b173b32cde47963de2a6e4bfcf243a8646fbf100fb2e379526b42ee4515

5100dbaf942556184928fc0387fb5aab69dc2ef7e77b29db75905329697f2350

11be73a9516ace88b1a0af52e4454f4bc1db514cc2511b3e02318bd8be2bcf09

10c2913361debb5f1db95c170ce2d6892d598d97b9f1f7f76a8bc7b5053e801a

1fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5

80.78.24.30

77.221.151.174

77.221.149.212

51.222.111.116

157.230.29.135

154.213.192.44

198.199.85.230

64.227.170.227

51.255.171.23

https://app.sekoia.io/intelligence/public/objects/indicator--fcc54a5a-3f13-4849-b48e-5197ab901324

https://app.sekoia.io/intelligence/public/objects/indicator--f428ddd8-c478-4e9e-9ebe-03e99877ecfb

https://app.sekoia.io/intelligence/public/objects/indicator--d618f9e9-321f-4762-a551-c9e8be60750e

https://app.sekoia.io/intelligence/public/objects/indicator--bd31bdad-81aa-4b3d-82ab-8f48d7e2380e

https://app.sekoia.io/intelligence/public/objects/indicator--b67815bd-0b13-4d33-a233-0fe38f4f1105

https://app.sekoia.io/intelligence/public/objects/indicator--b4b3e913-a7e8-45e8-882e-48b3df13f4fe

https://app.sekoia.io/intelligence/public/objects/indicator--ae387077-65ff-4658-9631-af8dc6c12b35

https://app.sekoia.io/intelligence/public/objects/indicator--ad184308-53e5-43e6-9011-dea3090ba3f8

https://app.sekoia.io/intelligence/public/objects/indicator--a88b5a35-3390-4fe2-ba0c-ec1a14de842c

https://app.sekoia.io/intelligence/public/objects/indicator--a32e74b4-3694-4f22-b34e-1514b1dd23d9

https://app.sekoia.io/intelligence/public/objects/indicator--9d2ed385-f34d-448f-9e92-055f8a515f25

https://app.sekoia.io/intelligence/public/objects/indicator--9c694b52-bdb7-42ef-8874-4b343e4ac1c5

https://app.sekoia.io/intelligence/public/objects/indicator--820de26f-69eb-4033-8bb4-87b515445a07

https://app.sekoia.io/intelligence/public/objects/indicator--851e33a8-991c-4c2f-a876-2388812bc941

https://app.sekoia.io/intelligence/public/objects/indicator--7c68157e-f858-46bd-8185-f18b9d46a85a

https://app.sekoia.io/intelligence/public/objects/indicator--69493717-a478-4d03-9f6d-addb61651815

https://app.sekoia.io/intelligence/public/objects/indicator--6a4b9f67-2c11-42e9-9aa9-91f3ecf67307

https://app.sekoia.io/intelligence/public/objects/indicator--66d0b708-53b9-431f-bf73-d0eb1801b48b

https://app.sekoia.io/intelligence/public/objects/indicator--5183d833-9391-42d1-b7fc-cae397867ba1

https://app.sekoia.io/intelligence/public/objects/indicator--64e561ba-90fe-484f-97c1-9fe3cf23601e

https://app.sekoia.io/intelligence/public/objects/indicator--45dc5b6d-e7ee-4b0c-85db-ff6225b98fca

https://app.sekoia.io/intelligence/public/objects/indicator--3fc6a2e9-d67e-4cfa-a694-28572f7cc5de

https://app.sekoia.io/intelligence/public/objects/indicator--30b7c383-00bb-41b7-9c88-48a6b4a85488

https://app.sekoia.io/intelligence/public/objects/indicator--2cf6b8fe-fb64-40d8-bbe5-a25eb0f068cf

https://app.sekoia.io/intelligence/public/objects/indicator--1e9facff-c79a-4ad1-8d6b-4b90a7666519

https://app.sekoia.io/intelligence/public/objects/indicator--0e5acc4f-3df6-4dc0-aae2-f424bd1c3b76

https://app.sekoia.io/intelligence/public/objects/indicator--027af819-1ef0-475d-a2cd-2b43357d554f

https://app.sekoia.io/intelligence/public/objects/indicator--0217a6ba-d55b-436b-81d4-efe9d3279fcb

http://154.213.192.44/y

http://154.213.192.44/m1.xml

http://154.213.192.44/m.xml

http://154.213.192.44/goku

http://154.213.192.44/c

http://154.213.192.44/bin.ps1

http://sck-dns.cc/c

http://51.222.111.116:80

http://154.213.192.44/plugin3.dll

http://154.213.192.44/Ueordwfkay.pdf

Attack Patterns

Hadooken

PwnRig

K4Spreader

Tsunami

8220 Gang

T1021.004

T1110

T1018

T1071.001

T1016

T1082

T1105

T1496

T1543

T1569

T1036

T1027

T1053

T1190

T1133

T1078

T1059

CVE-2020-14883

CVE-2023-46604

CVE-2017-10271

Additional Informations

Technology

China

Brazil

Hadooken and K4Spreader: The 8220 Gang's Latest Arsenal

Tags