Crypto miners, namely malware that is designed to mine cryptocurrency using a victim's machine and resources without their knowledge, often fly under the radar in terms of press coverage. They lack the fear ransomware can induce when you and all your work colleagues are locked out of a network or machine and need to pay millions of dollars just to get access back.
However, hackers deploying cryptominers can show the public how quickly the malware can spread and how vulnerable systems can be. These vulnerabilities can always open the door for other more damaging malware families to be deployed.
According to a new blog post published by security firm Sentinel One, a cybercriminal gang named 8220 who specialize in dropping cryptominers on cloud instances has begun a new mining campaign.
At the time of reporting researchers had noted that the gang had expanded their botnet to 30,000 cloud hosts. Researchers noted,
“8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors. While the group has operated for years, by mid 2021, the botnet was observed operating with roughly 2000 hosts globally. This month, we observed new campaigns utilizing long-running sets of infrastructure, bringing the botnet numbers up to today’s figure of around 30,000 infected hosts.”
The malware used by the gang can be separated into two main components, the cloud infection script, and the crypto miner. Researchers determined that the cloud infection script is the main component of the operation but lacks any obfuscation or detection evasion typical of more skilled hackers.
That is not to say that the script is ineffective. Quite the contrary, it is highly effective at infecting targets with unpatched vulnerabilities. The entire attack chain has been summarised below:
- Victim host preparation and cleanup, including the removal of common cloud security tools.
- IRC Botnet malware and miner download/configuration and remediation persistence.
- Tsunami IRC Botnet malware sample validation and connectivity.
- Internal network SSH scanner with lateral spreading capability.
- PwnRig cryptocurrency miner execution.
- Local SSH key collection, connectivity testing, and lateral spreading.
Researchers have observed the script actively being worked on and often, often monthly, over the period the gang has been tracked.
For instance, researchers noted that in June 2022, the group began making use of a separate file they call “Spirit” to manage some of the SSH brute forcing functionality outside of the script.
Spirit contains a list of approximately 450 hardcoded credentials for SSH brute forcing attacks. The list includes combinations of the root username, and default Linux device and application passwords.
The script was evolved further to include block lists intended to prevent the malware from infecting researcher honey pots used to analyze the malware.
As for the miner, called PWNRig by the gang, it is a modified version of the popular XMRig used to illegally mine the cryptocurrency Monero. This coin is favored by hackers the world over to its increased emphasis on privacy.
With governments around the world proving that they can seize Bitcoin, Monero has yet again become a popular alternative. It is not just the coin's privacy features that attract hackers.
XMRig was released as an open source package meaning that anyone can take the code, modify it, and deploy it to mine Monero. It is this ease of access that attracts hackers with little skill and allows them to make some money illegally.
The 8220 Gang
Operations and campaigns involving the gang can be dated back to 2017. The following year Cisco Talo published information regarding what they had discovered about the gang. Researchers noted,
“...8220 Mining Group has also exploited Drupal content management system, Hadoop YARN, Redis, Weblogic and CouchDB. Besides leveraging malicious bash scripts, Git repositories and image sharing services, as in whatMiner, 8220 Mining Group also carried out a long-lasting campaign using malicious Docker images. 8220 Mining Group was able to amass nearly $200,000 worth of Monero through their campaigns.”
Despite being regarded as a low-skill hacking gang in a year they were able to earn nearly 200,000 USD, showing why hackers will look to deploy crypto mining malware.
Simply it is financially rewarding to do so. More recently in June 2022, the gang was seen exploiting a remote code execution flaw in Atlassian Confluence servers to install miners on vulnerable servers. To exploit this vulnerability the gang would perform mass net scans to find vulnerable Windows and Linux endpoints to plant miners.
Once a vulnerable server is found a specially crafted HTTP request that exploits CVE-2022-26134, the CVE identity given to the vulnerability, and drops a base64-encoded payload.
The payload then fetches the executable then aim to establish reboot persistence, and uninstall all running agents. The last operation is to activate the miner.
What is interesting about 8220 operations is that the gang does not look to slowly accrue Monero by using as few system resources as possible. Rather, the maximum system resources are put to work mining Monero.
This is done to mine cryptocurrency as fast as possible. This does little for remaining under the radar and mine for extended periods. This is noisy and will result in discernable drops in system performance making detection easier.
Sentinel One concluded that,
“Over the past few years 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to expand a botnet and illicit cryptocurrency miner. From our observations the group has made changes over the recent weeks to expand the botnet to nearly 30,000 victims globally. PwnRig, the IRC Botnet, and generic infection script are all incredibly simple and used opportunistically in the groups targeting.”