This analysis uncovers a significant infection chain targeting Windows and Linux systems through Oracle WebLogic vulnerabilities. The attackers, likely the 8220 Gang, exploit CVE-2017-10271 and CVE-2020-14883 to deploy malware including K4Spreader, Tsunami backdoor, and cryptominers. The infection routine differs slightly between Windows and Linux systems but ultimately aims to mine Monero cryptocurrency. The campaign shares many similarities with the previously reported Hadooken case, including attack vectors, payloads, and infrastructure. Victim analysis reveals a focus on cloud environments, particularly in Asia and South America, with 200-250 compromised machines observed. The evolving tactics and global reach of the 8220 Gang highlight their ongoing threat to vulnerable cloud systems. Author: AlienVault
Related Tags:
cve-2017-10271
weblogic
Hadooken
PwnRig
Tsunami
k4spreader
T1021.004
China
T1133
Associated Indicators:
10C2913361DEBB5F1DB95C170CE2D6892D598D97B9F1F7F76A8BC7B5053E801A
C964791501A48E919446892FE14ED101C27DA375668AC7A24DE891DC68356F9B
9A5D68CA481091FBFDE4D63087A836412BC8805B9A7CAE000BD53899B0399E87
F6069886728686C5C6566C0332BA37C16805FB623B6FCBBD1DD2E09EE5CC75B1
E68263FCC9B1F8729BBA00F63FB5482F069218333A65CF1B0CAA0FE6D7CE1FF3
7B229B173B32CDE47963DE2A6E4BFCF243A8646FBF100FB2E379526B42EE4515
5100DBAF942556184928FC0387FB5AAB69DC2EF7E77B29DB75905329697F2350
94851BCC8F9C651BCDA0FF33D17356CB0B16CF12
8FCBF737766A473E2F033B9EE161FCF837228DA3