Microsoft has warned against a malware gang targeting Linux systems and installing crypto-mining malware. Researchers named the attacker 8220 gang and spotted notable updates to the malware campaign, which includes a new variant of cryptominer and an IRC bot.
The 8220 gang
Microsoft has disclosed the recent attacks of the 8220 gang, in which they were found exploiting a critical bug affecting Atlassian Confluence Server and Data Center.
The recent campaign targets i686 and x86_64 Linux systems.
It employs RCE exploits for CVE-2019-2725 (Oracle WebLogic) and CVE-2022-26134 (Atlassian Confluence Server and Data Center) for initial access.
The group has been observed actively updating its techniques and payloads over the last year.
The updates to malware include the deployment of a new crypto-miner version and an IRC bot.
The group was spotted targeting Windows systems via the Atlassian flaw to insert a script into a PowerShell memory process.
After initial access, the backdoor downloads a loader to the system that changes its configurations.
The loader disables security services, downloads a cryptominer, allows persistence on a network, and scans ports to find other servers. They were also seen targeting Apache Struts2 and Docker image vulnerabilities to compromise enterprise servers.
Cybercriminals are known to take advantage of such security flaws for their advantage in their attacks. Security teams must follow a proper patch management program to stay up-to-date and protected.