Back

Mining Gang's New Tool: k4spreader

July 2, 2024, 8:50 a.m.

Tags

botnet
2024-07-02
pwnrig
mining
tsunami
spreader
k4spreader

External References

https://blog.xlab.qianxin.com/

https://otx.alienvault.com/

Description

QIanxin describes the discovery and analysis of k4spreader, a new malware installer and spreader tool developed by the 8220 mining gang. k4spreader is written in cgo and implements system persistence, self-updating, and releasing other malware like the Tsunami botnet and PwnRig miner. The tool is still in early development with three versions observed so far.

Date

Published Created Modified
July 2, 2024, 8:22 a.m. July 2, 2024, 8:22 a.m. July 2, 2024, 8:50 a.m.

Indicators

a980b1b0387534da7c9a321f7d450c02087f7a8445fc86b77785da0c510bbaa8

7bade55726a3a6e86d809836d1bc43f4f7702ecde9ceed80a09876c2efeff8d4

31fd924b9a5747befdf61c03b02c90d3c2ba93c8e1a9f798e6dfefe23767e1ae

20d08d27631ae9bab8f3cb7cddd9b35fb75e5bee5764072f77ac3b4513307838

f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712

0897b1d3e3e453c160bf8d28a041eee3bd29e43a6f063faed7d3cb83a86b88cc

e2c3e81aa24b20ac71147340adc1eaedf077ad00e4a2359e3db47b166cf5411a

0013b356966c3d693b253cdf00c7fdf698890c9b75605be07128cac446904ad9

167.114.114.169

51.255.171.23

185.172.128.146

http://run.sck-dns.cc/sys/index.php

http://run.sck-dns.ws/sys/index.php

http://run.on-demand.pw:8080

http://run.on-demand.pw:80

http://run.on-demand.pw:443

http://fbi.su1001-2.top:8080

http://fbi.su1001-2.top:80

http://fbi.su1001-2.top:443

http://185.172.128.146:443/d.py

http://185.172.128.146:443/bin.64

http://185.172.128.146:443/bi.64

http://185.172.128.146:443/bin

http://185.172.128.146/d.py

Attack Patterns

PwnRig

k4spreader

Tsunami

8220 Mining Gang

T1060

T1197

T1189

T1055

T1140

T1195

T1059