Cyber Crime

8220 Gang Cloud Botnet infected 30,000 host globally

The crimeware group known as 8220 Gang expanded over the last month their Cloud Botnet to roughly 30,000 hosts globally.

Researchers from SentinelOne reported that low-skill crimeware 8220 Gang has expanded their Cloud Botnet over the last month to roughly 30,000 hosts globally. 

The gang focuses on infecting cloud hosts to deploy cryptocurrency miners by exploiting known vulnerabilities and conducting brute-force attacks.

The 8220 group has been active since at least 2017, the threat actors are Chinese-speaking and the names of the group come from the port number 8220 used by the miner to communicate with the C2 servers.

According to Microsoft researchers, the group has actively updated its techniques and payloads over the last year. In a recent campaign, the group targeted i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Atlassian Confluence) and CVE-2019-2725 (WebLogic) for initial access.

The experts reported that the cryptomining gang used a version of the IRC botnet, PwnRig cryptocurrency miner (PwnRig is a custom version of the open source XMRig miner), and a generic infection script in a recent campaign.

This month, the experts noticed that the number of infected hosts passed from 2000 to around 30,000.

The growth is linked to the increased use of Linux and common cloud application vulnerabilities and poorly secured configurations for services such as Docker, Apache WebLogic, and Redis.

“While the group has operated for years, by mid 2021, the botnet was observed operating with roughly 2000 hosts globally. This month, we observed new campaigns utilizing long-running sets of infrastructure, bringing the botnet numbers up to today’s figure of around 30,000 infected hosts.” reads the post published by the experts. “The infection script acts as the main code for the botnet to operate. Despite its lack of detection evasion or obfuscation, the script appears to be highly effective at infecting targets.”

The infection script is the core component of bot, below is the list of actions it carries out:

  1. Victim host preparation and cleanup, including the removal of common cloud security tools.
  2. IRC Botnet malware and miner download/configuration and remediation persistence.
  3. Tsunami IRC Botnet malware sample validation and connectivity.
  4. Internal network SSH scanner with lateral spreading capability.
  5. PwnRig cryptocurrency miner execution.
  6. Local SSH key collection, connectivity testing, and lateral spreading.

The 8220 Gang selects victims by identifying them through their internet accessibility.

The latest versions of the infection script use block lists to avoid infecting specific hosts, such as researcher honeypots. 

“Over the past few years 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to expand a botnet and illicit cryptocurrency miner. From our observations the group has made changes over the recent weeks to expand the botnet to nearly 30,000 victims globally.” concludes the report. “PwnRig, the IRC Botnet, and generic infection script are all incredibly simple and used opportunistically in the groups targeting.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, 8220 Gang)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

10 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

14 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

19 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

22 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

2 days ago

This website uses cookies.