Microsoft warns against encryption malware campaign targeting Linux servers

Linux Malware. The Cloud Threat Actor Group tracked as 8220 has updated its malware toolkit to hack Linux servers with the aim of installing cryptographers as part of a long-term campaign. “Updates include the publication of new versions of the crypto miner and IRC robot,” Microsoft Security Intelligence said in a series of tweets on Thursday. 8220, active since early 2017, is a Chinese-speaking threatening actor, Monero named for his preference to communicate with command and control servers (C2) via port 8220. It is also the developer of a tool called whatMiner, which was acquired by Rocke’s cybercrime group in their attacks.

In July 2019, the Alibaba Cloud Security team revealed an additional shift in opponent tactics, noting its use of hidden roots to hide the mining program. Two years later, the gang reappeared with Tsunami IRC botnet variants and the “PwnRig” factor. Now according to Microsoft, it has been noted that the latest campaign for Linux i686 and x86_64 systems is used as a weapon in the implementation of remote code for Atlassian Confluence Server (CVE-2022-26134) and Oracle WebLogic (CVE-2019-2725) for initial access. This step succeeds by recovering the malware upload tool from a remote server designed to drop PwnRig miner and IRC bot, but not before taking steps to avoid detection by erasing log files and disabling cloud monitoring and security software.