Mining Gang's New Tool: k4spreader
July 2, 2024, 8:50 a.m.
Description
QIanxin describes the discovery and analysis of k4spreader, a new malware installer and spreader tool developed by the 8220 mining gang. k4spreader is written in cgo and implements system persistence, self-updating, and releasing other malware like the Tsunami botnet and PwnRig miner. The tool is still in early development with three versions observed so far.
Tags
Date
- Created: July 2, 2024, 8:22 a.m.
- Published: July 2, 2024, 8:22 a.m.
- Modified: July 2, 2024, 8:50 a.m.
Indicators
- a980b1b0387534da7c9a321f7d450c02087f7a8445fc86b77785da0c510bbaa8
- 7bade55726a3a6e86d809836d1bc43f4f7702ecde9ceed80a09876c2efeff8d4
- 31fd924b9a5747befdf61c03b02c90d3c2ba93c8e1a9f798e6dfefe23767e1ae
- 20d08d27631ae9bab8f3cb7cddd9b35fb75e5bee5764072f77ac3b4513307838
- f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712
- 0897b1d3e3e453c160bf8d28a041eee3bd29e43a6f063faed7d3cb83a86b88cc
- e2c3e81aa24b20ac71147340adc1eaedf077ad00e4a2359e3db47b166cf5411a
- 0013b356966c3d693b253cdf00c7fdf698890c9b75605be07128cac446904ad9
- 167.114.114.169
- 51.255.171.23
- 185.172.128.146
- http://run.sck-dns.cc/sys/index.php
- http://run.sck-dns.ws/sys/index.php
- http://run.on-demand.pw:8080
- http://run.on-demand.pw:80
- http://run.on-demand.pw:443
- http://fbi.su1001-2.top:8080
- http://fbi.su1001-2.top:80
- http://fbi.su1001-2.top:443
- http://185.172.128.146:443/d.py
- http://185.172.128.146:443/bin.64
- http://185.172.128.146:443/bi.64
- http://185.172.128.146:443/bin
- http://185.172.128.146/d.py
- run.sck-dns.ws
- run.sck-dns.cc
- run.on-demand.pw
- pwn.oracleservice.top
- dw.c4kdeliver.top
- c4k-ircd.pwndns.pw
- syslog.target
- network.target
- multi-user.target
- network-online.target
- fbi.su1001-2.top