Cloud Botnet of 8220 Group Infected 30,000 Hosts for Cryptocurrency Mining

Botnet 8220 group
Written by Emma Davis

SentinelOne specialists have discovered the 8220 group mining botnet, which has about 30,000 infected hosts worldwide.

The experts write that the 8220 group has been active since 2017 and that it is “one of many low-skilled criminal groups” that they monitor constantly. Typically, these hackers infect cloud hosts using known vulnerabilities as well as infection vectors associated with remote access.

Let me remind you that we also wrote that Law Enforcement Officers Eliminated the Russian Botnet RSOCKS, and also that Phorpiex botnet stopped working, its source code is up for sale.

Interestingly, at the end of 2021, the 8220 group botnet had only about 2,000 hosts. Experts explain such a rapid growth by active attacks on Linux servers, which Microsoft analysts recently warned about, as well as the exploitation of bugs in cloud applications and hacking into secure installations of Docker, Apache WebLogic and Redis.

Among the updates are listed the deployment of new versions of the crypto miner and IRC bot. The group has been actively improving its tools and payloads over the past year.experts of Microsoft Security Intelligence wrote.

Let me remind you that, according to Microsoft, the latest hacker campaign is directed against Linux systems (i686 and x86_64), and within its framework, exploits are used for remote code execution. In particular, hackers use a recently disclosed bug in Atlassian Confluence (CVE-2022-26134), as well as an old vulnerability in Oracle WebLogic (CVE-2019-2725) to gain initial access.

In addition to the PwnRig custom miner based on the notorious XMRig that the criminals use, the group’s attack script is also designed to remove security tools and SSH brute force (using a list of 450 hardcoded credentials) for further lateral network traversal.

Moreover, the new versions of the script have blacklists that help the malware avoid compromising certain hosts, including the researchers’ decoy servers.

It is also noted that PwnRig itself has also recently been updated and now uses a domain spoofing the FBI, and the IP address points to the legitimate domain of the Brazilian federal government. All this is done in order to hide fraudulent requests to the mining pool, so that it is not clear where the money “earned” by hackers goes.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply