Today > | 7 High | 23 Medium | 2 Low vulnerabilities   -   You can now download lists of IOCs here!

Mining Gang's New Tool: k4spreader

July 2, 2024, 8:50 a.m.

Description

QIanxin describes the discovery and analysis of k4spreader, a new malware installer and spreader tool developed by the 8220 mining gang. k4spreader is written in cgo and implements system persistence, self-updating, and releasing other malware like the Tsunami botnet and PwnRig miner. The tool is still in early development with three versions observed so far.

Date

Published: July 2, 2024, 8:22 a.m.

Created: July 2, 2024, 8:22 a.m.

Modified: July 2, 2024, 8:50 a.m.

Indicators

a980b1b0387534da7c9a321f7d450c02087f7a8445fc86b77785da0c510bbaa8

7bade55726a3a6e86d809836d1bc43f4f7702ecde9ceed80a09876c2efeff8d4

31fd924b9a5747befdf61c03b02c90d3c2ba93c8e1a9f798e6dfefe23767e1ae

20d08d27631ae9bab8f3cb7cddd9b35fb75e5bee5764072f77ac3b4513307838

f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712

0897b1d3e3e453c160bf8d28a041eee3bd29e43a6f063faed7d3cb83a86b88cc

e2c3e81aa24b20ac71147340adc1eaedf077ad00e4a2359e3db47b166cf5411a

0013b356966c3d693b253cdf00c7fdf698890c9b75605be07128cac446904ad9

167.114.114.169

51.255.171.23

185.172.128.146

http://run.sck-dns.cc/sys/index.php

http://run.sck-dns.ws/sys/index.php

http://run.on-demand.pw:8080

http://run.on-demand.pw:80

http://run.on-demand.pw:443

http://fbi.su1001-2.top:8080

http://fbi.su1001-2.top:80

http://fbi.su1001-2.top:443

http://185.172.128.146:443/d.py

http://185.172.128.146:443/bin.64

http://185.172.128.146:443/bi.64

http://185.172.128.146:443/bin

http://185.172.128.146/d.py

run.sck-dns.ws

run.sck-dns.cc

run.on-demand.pw

pwn.oracleservice.top

dw.c4kdeliver.top

c4k-ircd.pwndns.pw

syslog.target

network.target

multi-user.target

network-online.target

fbi.su1001-2.top

Attack Patterns

PwnRig

k4spreader

Tsunami

8220 Mining Gang

T1060

T1197

T1189

T1055

T1140

T1195

T1059