{ "name": "Mining Gang's New Tool: k4spreader", "slug": "mining-gangs-new-tool-k4spreader", "description": "QIanxin describes the discovery and analysis of k4spreader, a new malware installer and spreader tool developed by the 8220 mining gang. k4spreader is written in cgo and implements system persistence, self-updating, and releasing other malware like the Tsunami botnet and PwnRig miner. The tool is still in early development with three versions observed so far.", "published": "2024-07-02T06:22:11+00:00", "created_at": "2024-07-02T06:22:11+00:00", "modified_at": "2024-07-02T06:50:28+00:00", "created_at_opencti": "2024-07-02T06:22:11+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-07-02", "botnet", "k4spreader", "mining", "pwnrig", "spreader", "tsunami" ], "related_entities": { "observables": [ { "id": "", "name": "167.114.114.169" }, { "id": "", "name": "51.255.171.23" }, { "id": "", "name": "185.172.128.146" }, { "id": "", "name": "http://run.sck-dns.cc/sys/index.php" }, { "id": "", "name": "http://run.sck-dns.ws/sys/index.php" }, { "id": "", "name": "http://run.on-demand.pw:8080" }, { "id": "", "name": "http://run.on-demand.pw:80" }, { "id": "", "name": "http://run.on-demand.pw:443" }, { "id": "", "name": "http://fbi.su1001-2.top:8080" }, { "id": "", "name": "http://fbi.su1001-2.top:80" }, { "id": "", "name": "http://fbi.su1001-2.top:443" }, { "id": "", "name": "http://185.172.128.146:443/d.py" }, { "id": "", "name": "http://185.172.128.146:443/bin.64" }, { "id": "", "name": "http://185.172.128.146:443/bi.64" }, { "id": "", "name": "http://185.172.128.146:443/bin" }, { "id": "", "name": "http://185.172.128.146/d.py" }, { "id": "", "name": "run.sck-dns.ws" }, { "id": "", "name": "run.sck-dns.cc" }, { "id": "", "name": "run.on-demand.pw" }, { "id": "", "name": "pwn.oracleservice.top" }, { "id": "", "name": "dw.c4kdeliver.top" }, { "id": "", "name": "c4k-ircd.pwndns.pw" }, { "id": "", "name": "syslog.target" }, { "id": "", "name": "network.target" }, { "id": "", "name": "multi-user.target" }, { "id": "", "name": "network-online.target" }, { "id": "", "name": "fbi.su1001-2.top" }, { "id": "", "name": "a980b1b0387534da7c9a321f7d450c02087f7a8445fc86b77785da0c510bbaa8" }, { "id": "", "name": "7bade55726a3a6e86d809836d1bc43f4f7702ecde9ceed80a09876c2efeff8d4" }, { "id": "", "name": "31fd924b9a5747befdf61c03b02c90d3c2ba93c8e1a9f798e6dfefe23767e1ae" }, { "id": "", "name": "20d08d27631ae9bab8f3cb7cddd9b35fb75e5bee5764072f77ac3b4513307838" }, { "id": "", "name": "f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712" }, { "id": "", "name": "0897b1d3e3e453c160bf8d28a041eee3bd29e43a6f063faed7d3cb83a86b88cc" }, { "id": "", "name": "e2c3e81aa24b20ac71147340adc1eaedf077ad00e4a2359e3db47b166cf5411a" }, { "id": "", "name": "0013b356966c3d693b253cdf00c7fdf698890c9b75605be07128cac446904ad9" } ], "malware": [ { "id": "legacy:malware:b2470e2be432f0f6", "name": "PwnRig", "slug": "pwnrig" }, { "id": "legacy:malware:1a6bfad2bac4c8c8", "name": "k4spreader", "slug": "k4spreader" }, { "id": "legacy:malware:8ffd9b3543495feb", "name": "Tsunami", "slug": "tsunami" } ], "intrusion_sets": [ { "id": "eb6404f2-5ede-4b35-a41f-8e167ca0ee32", "name": "8220 Mining Gang", "slug": "8220-mining-gang" } ], "attack_patterns": [ { "id": "f90b00e3-95b7-432f-b163-6a9a2102e598", "name": "T1060" }, { "id": "6c54bb5e-b90c-478e-b1fb-705daf1869b3", "name": "T1197" }, { "id": "fe6f2946-a01e-460c-9636-8c48b45dd0e6", "name": "T1189" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "358e04b8-6f65-48b2-a24b-f101bfc6671a", "name": "T1195" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ] }, "external_refs": [ "https://blog.xlab.qianxin.com/8220-k4spreader-new-tool-en/", "https://otx.alienvault.com/pulse/6683b8b3d2bafff519c4d24e" ] }