Hadooken and K4Spreader: The 8220 Gang's Latest Arsenal
Essential information
- Published
- 01/10/2024 10:08
- Modified
- 01/10/2024 10:21
- Tags
- 2024-10-01 CVE-2017-10271 CVE-2020-14883 botnet brazil china cryptomining hadooken k4spreader pwnrig tsunami weblogic
- Related entities
- 3 vulnerabilities (cve), 62 observables, 1 intrusion sets (apt), 17 techniques (mitre), 4 malware, 3 others
Description
This analysis uncovers a significant infection chain targeting Windows and Linux systems through Oracle WebLogic vulnerabilities. The attackers, likely the 8220 Gang, exploit CVE-2017-10271 and CVE-2020-14883 to deploy malware including K4Spreader, Tsunami backdoor, and cryptominers. The infection routine differs slightly between Windows and Linux systems but ultimately aims to mine Monero cryptocurrency. The campaign shares many similarities with the previously reported Hadooken case, including attack vectors, payloads, and infrastructure. Victim analysis reveals a focus on cloud environments, particularly in Asia and South America, with 200-250 compromised machines observed. The evolving tactics and global reach of the 8220 Gang highlight their ongoing threat to vulnerable cloud systems.