A long-running cryptomining campaign conducted by 8220 hackers now targets Linux servers

Microsoft spotted a cloud threat actor tracked as 8220 that is now targeting Linux servers in a long-running cryptomining campaign.

Microsoft Security Intelligence experts are warning of a long-running campaign conducted by a cloud threat actor group, tracked as 8220, that is now targeting Linux servers to install crypto miners.

“We observed notable updates to the long-running malware campaign targeting Linux systems by a group known as the 8220 gang.” reads one of the tweets published by Microsoft Security Intelligence “The updates include the deployment of new versions of a cryptominer and an IRC bot, as well the use of an exploit for a recently disclosed vulnerability.”

The 8220 group has been active since at least 2017, it focuses on cryptomining campaigns. The threat actors are Chinese-speaking, the names of the group come for the port number 8220 used by the miner to communicate with the C2 servers.

According to Microsoft researchers, the group has actively updated its techniques and payloads over the last year. In a recent campaign, the group targeted i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Atlassian Confluence) and CVE-2019-2725 (WebLogic) for initial access.

Once gained access to a target system, an evasive loader is downloaded from jira[.]letmaker[.]top. The loader eludes detection by clearing log files and disabling cloud monitoring and security tools.

The loader is used to download the pwnRig crpytominer (v1.41.0) and an IRC bot that runs commands from a C2 server. In orIt maintains persistence by creating either a cronjob or a script that runs every 60 seconds as nohup.

Microsoft urges organizations to secure systems and servers, apply updates, and use good credential hygiene to protect their networks. Microsoft Defender for Endpoint on Linux detects malicious behaviors and payloads related to this campaign.

The IT giant also shared indicators of compromise (IoCs) for this campaign.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, 8220)

[adrotate banner=”5″]

[adrotate banner=”13″]