Over the last month, a crimeware group best known as 8220 Gang has expanded their botnet to roughly 30,000 hosts globally using Linux and common cloud application vulnerabilities and poorly secured configurations.
8220 Gang is one of the many low skill crimeware gangs that are continually observed infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors. This month, 8220 Gang began new campaigns utilizing long-running sets of infrastructure, bringing the botnet numbers up to today’s figure of around 30,000 infected hosts.
The 8220 Gang uses a core infection script that acts as the main code for the botnet to operate. As depicted in a SentinelOne report on the 8220 Gang, the capabilities of the infection script are as follows:
- Victim host preparation and cleanup, including the removal of common cloud security tools.
- IRC Botnet malware and miner download/configuration and remediation persistence.
- Tsunami IRC Botnet malware sample validation and connectivity.
- Internal network SSH scanner with lateral spreading capability.
- PwnRig cryptocurrency miner execution.
- Local SSH key collection, connectivity testing, and lateral spreading.
The software-turned-malware PwnRig used in this 8220 Gang campaign is a malicious cryptocurrency miner based on the legitimate open-source mining software called XMRig. It attempts to conceal its configuration details and makes use of a mining proxy to prevent the public from monitoring its pool details.
The attacks described in the research by SentinelOne are largely opportunistic in nature. Rather than targeting specific systems, crimeware gangs such as 8220 merely exploit known vulnerabilities in unpatched software exposed to the internet. These types of opportunistic attacks can often be prevented by keeping software up to date and exposing the least possible number of applications to the internet.