Cryptomining gang 8220 exploits Linux and cloud app vulnerabilities.

The gang that has been active since 2017 is considered low-skilled and focuses on infecting AWS, Azure, GCP, Alitun and QCloud hosts after targeting publicly available systems running vulnerable versions of Apache, Confluence, Docker and Redis.

This gang leverages Pastebin sites, Git repositories and malicious Docker images. The group targets Drupal, Hadoop YARN and Apache Struts2.

How they infect your system:

• Using malicious shell scripts masquerading as JPEG files with the name "logo*.jpg" that install cron jobs and download and execute miners.
• The use of variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the victim's architecture.
• Scanning for and attempting to exploit recently published vulnerabilities in servers such as Apache Struts2, Oracle WebLogic and Drupal.
• Malicious scripts and malware hosted on Pastebin sites, Git repositories and domains with .tk TLDs.
• Tools such as XHide Process Faker, which can hide or change the name of Linux processes and PyInstaller, which can convert Python scripts into executables.

The Chinese gang has successfully expanded their botnet to 30.000 hosts globally making use of a new version of the IRC botnet, PwnRig cryptocurrency miner and its generic infection script. They focus on mining "Monero", which has lost over 20% of its value over the past six months.

The name 8220 originates from the groups original use of port 8220 for the C2 network communications.

"Victims of 8220 Gang are typically, but not exclusively, users of cloud networks operating vulnerable and misconfigured Linux applications and services. Attacks make use of SSH brute forcing post-infection to automate local and global spreading attempts. Victims using cloud infrastructure (AWS, Azure, GCP,  Aliyun, QCloud) are often infected via publicly accessible hosts running Docker, Confluence, Apache WebLogic, and Redis. Victims are not targeted geographically, but simply identified by their internet accessibility." Sentinel One writes.

The group uses a separate and dedicated file "Spirit" for the management of the SSH brute forcing step, which contains 450 hardcoded credentials corresponding to a broad range of Linux devices and apps.

Plus they make use of block lists in the script to exclude specific hosts from infections, mostly honeypots that have been set up by security researchers.

The only way to stay safe is to always keep your systems up-to-date and configured in a secure and correct way. Remember to take snapshots / backups of critical systems.