8220 Gang of Cryptojackers Exploit Log4Shell to Mint Coins

ASEC researchers confirmed that the 8220 Gang attack group has been exploiting the Log4Shell vulnerability to install CoinMiner in VMware Horizon servers. This attack specifically targets unpatched and vulnerable systems of Korean energy-related companies, leaving them susceptible to multiple attackers.

Diving into details

A log revealed that the ws_tomcatservice.exe process, which was recently found to be vulnerable, installed the CoinMiner malware.?

• Although the detailed packet was not identified, the attack log indicates that the PowerShell command was executed through VMware Horizon's ws_tomcatservice.exe process.?
• Considering the?8220 Gang's tendency to exploit known vulnerabilities in unpatched systems, it is highly probable that it used the previously mentioned Log4Shell vulnerability for this attack.
• The group, furthermore, targets vulnerable systems using Oracle Weblogic vulnerabilities to download ScrubCrypt that connects to C&C servers to download additional commands, including the installation of?XMRig CoinMiner.

8220 Gang in the recent past

Between January and February, the 8220 Gang was found targeting Oracle Weblogic server vulnerabilities using?ScrubCrypt?to avoid detection and carry out mining attacks.

• The gang uses a PowerShell script to download ScrubCrypt and establish persistence by making edits to the registry entries.
• In February, it upgraded its attack techniques to launch sophisticated cryptomining attacks by exploiting vulnerabilities in Linux and cloud apps.
• The group used the?‘onacroner’?script for the first time and consistently changed its C2 IP addresses to avoid detection.

The bottom line

8220 Gang has been installing XMRig CoinMiner to extract Monero coins from unpatched systems. To avoid such attacks, system administrators are advised to verify whether their existing VMware servers are susceptible and apply the latest patches. Additionally, they should use security software such as firewalls for servers that can be accessed externally to limit attackers' entry. Lastly, they should exercise caution by updating V3 to the most recent version to block malware infection ahead of time.