Mining Gang's New Tool: k4spreader
July 2, 2024, 8:50 a.m.
Tags
External References
Description
QIanxin describes the discovery and analysis of k4spreader, a new malware installer and spreader tool developed by the 8220 mining gang. k4spreader is written in cgo and implements system persistence, self-updating, and releasing other malware like the Tsunami botnet and PwnRig miner. The tool is still in early development with three versions observed so far.
Date
Published: July 2, 2024, 8:22 a.m.
Created: July 2, 2024, 8:22 a.m.
Modified: July 2, 2024, 8:50 a.m.
Indicators
a980b1b0387534da7c9a321f7d450c02087f7a8445fc86b77785da0c510bbaa8
7bade55726a3a6e86d809836d1bc43f4f7702ecde9ceed80a09876c2efeff8d4
31fd924b9a5747befdf61c03b02c90d3c2ba93c8e1a9f798e6dfefe23767e1ae
20d08d27631ae9bab8f3cb7cddd9b35fb75e5bee5764072f77ac3b4513307838
f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712
0897b1d3e3e453c160bf8d28a041eee3bd29e43a6f063faed7d3cb83a86b88cc
e2c3e81aa24b20ac71147340adc1eaedf077ad00e4a2359e3db47b166cf5411a
0013b356966c3d693b253cdf00c7fdf698890c9b75605be07128cac446904ad9
167.114.114.169
51.255.171.23
185.172.128.146
http://run.sck-dns.cc/sys/index.php
http://run.sck-dns.ws/sys/index.php
http://run.on-demand.pw:8080
http://run.on-demand.pw:80
http://run.on-demand.pw:443
http://fbi.su1001-2.top:8080
http://fbi.su1001-2.top:80
http://fbi.su1001-2.top:443
http://185.172.128.146:443/d.py
http://185.172.128.146:443/bin.64
http://185.172.128.146:443/bi.64
http://185.172.128.146:443/bin
http://185.172.128.146/d.py
run.sck-dns.ws
run.sck-dns.cc
run.on-demand.pw
pwn.oracleservice.top
dw.c4kdeliver.top
c4k-ircd.pwndns.pw
syslog.target
network.target
multi-user.target
network-online.target
fbi.su1001-2.top
Attack Patterns
PwnRig
k4spreader
Tsunami
8220 Mining Gang
T1060
T1197
T1189
T1055
T1140
T1195
T1059