8220 Gang Crimeware Group: Infects Cloud Hosts and Operates a Botnet and PwnRig Cryptocurrency Miner

8220 Gang, aka 8220 Mining Group, has ramped up activity in the last year, growing the cloud botnet of infected hosts from 2,000 in mid-2021 to 30,000 and counting as of now. In their previous attacks, the threat group focused on leveraging existing vulnerabilities and launching brute-force attacks to compromise cloud servers and drop cryptocurrency miners.

The hackers have initially used port 8220 for C&C – hence the name. There are particular traces of their activity indicating that the adversaries are coming from the Chinese-speaking environment.

Detection

Detect suspicious behavior within your environment that indicates the intrusion of 8220 Gang with a Sigma rule released by our seasoned Threat Bounty developer Emir Erdogan:

Detection OF PwnRig cryptocurrency miner (via process_creation)

The rule is aligned with the MITRE ATT&CK® framework v.10, addressing the Defense Evasion and Impact tactics with Obfuscated Files or Information (T1027) and Resource Hijacking (T1496) as the main techniques.

If you are new to the platform, browse through a vast collection of Sigma rules with relevant threat context, CTI and MITRE ATT&CK references, CVE descriptions, and get updates on threat hunting trends. No registration is required! Press the Explore Threat Context button to learn more. Unlock unlimited access to the world’s first platform for collaborative cyber defense, threat hunting, and discovery that integrates with 26+ SIEM, EDR, and XDR platforms. Hunt for the latest threats, automate threat investigation, and get feedback and vetting by a community of 28,000+ security professionals to boost your security operations. Register by clicking the Detect & Hunt button below.

Detect & Hunt Explore Threat Context

8220 Gang Methods

Researchers from SentinelOne reported that 8220 Gang targets users of cloud networks (AWS, Azure, GCP, Alitun, and QCloud), running poorly configured or unpatched Linux applications and services. Recently, the threat actor has managed to grow their cloud botnet to 30,000 infected hosts worldwide to mine cryptocurrencies. Emerged in 2017 and has been a problem ever since, 8220 Gang members are leveraging a new version of the IRC botnet, PwnRig cryptocurrency miner, and its generic infection script in the current campaign.

The crimeware group is not considered a high-tier threat actor; however, adversaries, probably motivated by the dropping cryptocurrency prices, managed to update their techniques and adopt efficient payloads over the last year. According to the research data, 8220 Gang targets i686 and x86_64 Linux systems, making use of CVE-2022-26134 (Atlassian Confluence) and CVE-2019-2725 (WebLogic) vulnerabilities to gain initial access. The infection script’s most recent iterations employ block lists to prevent infecting particular hosts, such as research honeypots.

Hunting professionally? Share your knowledge with other SOC experts, hunt for threats within 26+ supported SIEM, EDR, and XDR technologies, and see your detection content displayed in SOC Prime’s vast library of rules by joining our Threat Bounty Program.