{ "name": "Hadooken and K4Spreader: The 8220 Gang's Latest Arsenal", "slug": "hadooken-and-k4spreader-the-8220-gangs-latest-arsenal", "description": "This analysis uncovers a significant infection chain targeting Windows and Linux systems through Oracle WebLogic vulnerabilities. The attackers, likely the 8220 Gang, exploit CVE-2017-10271 and CVE-2020-14883 to deploy malware including K4Spreader, Tsunami backdoor, and cryptominers. The infection routine differs slightly between Windows and Linux systems but ultimately aims to mine Monero cryptocurrency. The campaign shares many similarities with the previously reported Hadooken case, including attack vectors, payloads, and infrastructure. Victim analysis reveals a focus on cloud environments, particularly in Asia and South America, with 200-250 compromised machines observed. The evolving tactics and global reach of the 8220 Gang highlight their ongoing threat to vulnerable cloud systems.", "published": "2024-10-01T08:08:05+00:00", "created_at": "2024-10-01T08:08:05+00:00", "modified_at": "2024-10-01T08:21:56+00:00", "created_at_opencti": "2024-10-01T08:08:05+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-10-01", "CVE-2017-10271", "CVE-2020-14883", "botnet", "brazil", "china", "cryptomining", "hadooken", "k4spreader", "pwnrig", "tsunami", "weblogic" ], "related_entities": { "observables": [ { "id": "", "name": "80.78.24.30" }, { "id": "", "name": "77.221.151.174" }, { "id": "", "name": "77.221.149.212" }, { "id": "", "name": "51.222.111.116" }, { "id": "", "name": "157.230.29.135" }, { "id": "", "name": "154.213.192.44" }, { "id": "", "name": "198.199.85.230" }, { "id": "", "name": "64.227.170.227" }, { "id": "", "name": "51.255.171.23" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--fcc54a5a-3f13-4849-b48e-5197ab901324" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--f428ddd8-c478-4e9e-9ebe-03e99877ecfb" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--d618f9e9-321f-4762-a551-c9e8be60750e" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--bd31bdad-81aa-4b3d-82ab-8f48d7e2380e" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--b67815bd-0b13-4d33-a233-0fe38f4f1105" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--b4b3e913-a7e8-45e8-882e-48b3df13f4fe" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--ae387077-65ff-4658-9631-af8dc6c12b35" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--ad184308-53e5-43e6-9011-dea3090ba3f8" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--a88b5a35-3390-4fe2-ba0c-ec1a14de842c" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--a32e74b4-3694-4f22-b34e-1514b1dd23d9" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--9d2ed385-f34d-448f-9e92-055f8a515f25" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--9c694b52-bdb7-42ef-8874-4b343e4ac1c5" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--820de26f-69eb-4033-8bb4-87b515445a07" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--851e33a8-991c-4c2f-a876-2388812bc941" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--7c68157e-f858-46bd-8185-f18b9d46a85a" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--69493717-a478-4d03-9f6d-addb61651815" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--6a4b9f67-2c11-42e9-9aa9-91f3ecf67307" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--66d0b708-53b9-431f-bf73-d0eb1801b48b" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--5183d833-9391-42d1-b7fc-cae397867ba1" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--64e561ba-90fe-484f-97c1-9fe3cf23601e" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--45dc5b6d-e7ee-4b0c-85db-ff6225b98fca" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--3fc6a2e9-d67e-4cfa-a694-28572f7cc5de" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--30b7c383-00bb-41b7-9c88-48a6b4a85488" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--2cf6b8fe-fb64-40d8-bbe5-a25eb0f068cf" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--1e9facff-c79a-4ad1-8d6b-4b90a7666519" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--0e5acc4f-3df6-4dc0-aae2-f424bd1c3b76" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--027af819-1ef0-475d-a2cd-2b43357d554f" }, { "id": "", "name": "https://app.sekoia.io/intelligence/public/objects/indicator--0217a6ba-d55b-436b-81d4-efe9d3279fcb" }, { "id": "", "name": "http://154.213.192.44/y" }, { "id": "", "name": "http://154.213.192.44/m1.xml" }, { "id": "", "name": "http://154.213.192.44/m.xml" }, { "id": "", "name": "http://154.213.192.44/goku" }, { "id": "", "name": "http://154.213.192.44/c" }, { "id": "", "name": "http://154.213.192.44/bin.ps1" }, { "id": "", "name": "http://sck-dns.cc/c" }, { "id": "", "name": "http://51.222.111.116:80" }, { "id": "", "name": "http://154.213.192.44/plugin3.dll" }, { "id": "", "name": "http://154.213.192.44/Ueordwfkay.pdf" }, { "id": "", "name": "irc.bashgo.pw" }, { "id": "", "name": "play.sck-dns.cc" }, { "id": "", "name": "sck-dns.cc" }, { "id": "", "name": "run.on-demand.pw" }, { "id": "", "name": "pwn.oracleservice.top" }, { "id": "", "name": "c4k-ircd.pwndns.pw" }, { "id": "", "name": "f6069886728686c5c6566c0332ba37c16805fb623b6fcbbd1dd2e09ee5cc75b1" }, { "id": "", "name": "e68263fcc9b1f8729bba00f63fb5482f069218333a65cf1b0caa0fe6d7ce1ff3" }, { "id": "", "name": "c964791501a48e919446892fe14ed101c27da375668ac7a24de891dc68356f9b" }, { "id": "", "name": "9a5d68ca481091fbfde4d63087a836412bc8805b9a7cae000bd53899b0399e87" }, { "id": "", "name": "7b229b173b32cde47963de2a6e4bfcf243a8646fbf100fb2e379526b42ee4515" }, { "id": "", "name": "5100dbaf942556184928fc0387fb5aab69dc2ef7e77b29db75905329697f2350" }, { "id": "", "name": "11be73a9516ace88b1a0af52e4454f4bc1db514cc2511b3e02318bd8be2bcf09" }, { "id": "", "name": "10c2913361debb5f1db95c170ce2d6892d598d97b9f1f7f76a8bc7b5053e801a" }, { "id": "", "name": "1fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5" } ], "malware": [ { "id": "legacy:malware:0082b42c588d3516", "name": "Hadooken", "slug": "hadooken" }, { "id": "legacy:malware:b2470e2be432f0f6", "name": "PwnRig", "slug": "pwnrig" }, { "id": "legacy:malware:1a6bfad2bac4c8c8", "name": "K4Spreader", "slug": "k4spreader" }, { "id": "legacy:malware:8ffd9b3543495feb", "name": "Tsunami", "slug": "tsunami" } ], "intrusion_sets": [ { "id": "29f32af1-c06d-43ae-b4f4-14b3ee53eda0", "name": "8220 Gang", "slug": "8220-gang" } ], "attack_patterns": [ { "id": "f65930b0-5581-4f3d-a367-a86ac78f407b", "name": "T1021.004" }, { "id": "444de5e0-bd7f-4700-b700-26320057dd80", "name": "T1110" }, { "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7", "name": "T1018" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7", "name": "T1016" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "6d618903-d9f6-4747-aec2-7630f43c1908", "name": "T1496" }, { "id": "af9ed2e3-4663-4723-beab-c606ddc312e0", "name": "T1543" }, { "id": "33962583-7396-47ef-913d-1db78d6685c9", "name": "T1569" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d", "name": "T1053" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "b9eab970-53dd-4977-9a26-c4fe566e422d", "name": "T1133" }, { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2020-14883" }, { "id": "", "name": "CVE-2023-46604" }, { "id": "", "name": "CVE-2017-10271" } ], "others": [ { "id": "", "name": "China" }, { "id": "", "name": "Brazil" }, { "id": "", "name": "Technology" } ] }, "external_refs": [ "https://raw.githubusercontent.com/SEKOIA-IO/Community/refs/heads/main/IOCs/8220Gang/8220_Gang_iocs_20242409.csv", "https://blog.sekoia.io/hadooken-and-k4spreader-the-8220-gangs-latest-arsenal/", "https://otx.alienvault.com/pulse/66fbca06ce8a8a133558de46" ] }