Microsoft has observed significant updates to the long-running malware campaign targeting Linux systems known as the 8220 gang. The updates in the malware include deployment of new versions of a cryptominer and an IRC bot, as well as exploitation of a recently disclosed vulnerability.
“The group has actively updated its techniques and payloads over the last year. The most recent campaign targets i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic) for initial access,” tweeted Microsoft Security Intelligence.
Atlassian had disclosed the critical vulnerability CVE-2022-26134 on June 2 and within a week, the 8220 gang exploited the Atlassian flaw to install malware on Linux systems. The group also tried to target the Windows systems by injecting a script into a PowerShell memory process using the Atlassian flaw.
How is 8220 gang attacking Linux systems?
- A loader is downloaded from jira[.]letmaker[.]top after initial access. The loader avoids being detected by clearing log files and disabling cloud monitoring and security tools.
- The pwnRig crpytominer (v1.41.0) and an IRC bot are downloaded by the loader. The IRC bot runs commands from a C2 server. It creates either a cronjob or a script that runs every 60 seconds as nohup to maintain persistence.
- Using the IP port scanner tool “masscan”, the loader finds other SSH servers in the network. It then propagates using the GoLang-based SSH brute force tool “spirit”. For moving laterally by connecting to known hosts, it also scans the local disk for SSH keys.
Microsoft says that for protecting Linux networks against this threat, organizations must secure systems and servers, apply updates, and use good credential hygiene. “Microsoft Defender for Endpoint on Linux detects malicious behaviors and payloads related to this campaign. Tamper protection capabilities in Microsoft Defender for Endpoint help protect security settings”, said Microsoft Security Intelligence.
Also read: How MSPs can use Endpoint Detection and Response (EDR) for better security
