Imperva Detects Undocumented 8220 Gang Activities | Imperva

Imperva Threat Research has detected previously undocumented activity from the 8220 gang, which is known for the mass deployment of malware using a variety of continuously evolving TTPs. This threat actor has been known to target both Windows and Linux web servers with cryptojacking malware. 

In this blog, we will detail recent activity, attack vectors used by the group, and share the indicators of compromise (IoCs) from the group’s most recent and previously unknown campaigns. Imperva customers are protected against this group’s known activities. All organizations should maintain up-to-date patches and security.

History

The 8220 gang, widely believed to be of Chinese origin, was first identified by Cisco Talos in 2017 targeting Drupal, Hadoop YARN, and Apache Struts2 applications to propagate cryptojacking malware. Since then, various other researchers have provided updates on the evolving tactics, techniques and procedures (TTPs) leveraged by the group, including exploitation of Confluence and Log4j vulnerabilities. Most recently, Trend Micro disclosed evidence of the group leveraging the Oracle WebLogic vulnerability CVE-2017-3506 to infect targeted systems. 

Evolving TTPs

As well as the recently disclosed use of CVE-2021-44228 and CVE-2017-3506, Imperva Threat Research observed the group’s attempted exploitation of CVE-2020-14883, a Remote Code Execution vulnerability in Oracle WebLogic Server, to propagate malware.

This vulnerability allows remote authenticated attackers to execute code using a gadget chain and is commonly chained with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or the use of leaked, stolen, or weak credentials. Exploitation of these vulnerabilities is well documented. Therefore, it is easy to modify for the purposes of malware deployment. The 8220 gang uses two different gadget chains: one enables the loading of an XML file, which then contains a call to the other and enables execution of commands on the OS.

Process Builder XML

The group uses different variations of the supplied XML depending on the target OS:

Process Builder XML Variations

The command used to target Linux hosts attempts to download one of a set of second phase files using a variety of different methods: cURL, wget, lwp-download and python urllib (base64 encoded), as well as a custom bash function that is also base64 encoded.

Linux command control script

Decoded base64: calls to python 2 and 3 urllib:

Decoded base64: calls to python 2 and 3 urllib

Custom bash download function:

Custom bash download function

On Windows a simple PowerShell WebClient command is used to execute a downloaded PowerShell script:

PowerShell WebClient command

In another variation of the attack, the group uses a different gadget chain to execute Java code without the requirement of an externally hosted XML file.

com.tangosol.coherence.mvel2.sh.ShellSession gadget chain

The injected Java code first evaluates whether the OS is Windows or Linux, and then executes the appropriate command strings, which are identical to the ones already outlined above.

Java code evaluating whether the OS is Windows or Linux

From here, the downloaded files are executed, infecting the exploited hosts with known AgentTesla, rhajk and nasqa malware variants, shown in the VirusTotal screenshots below.

AgentTesla, rhajk and nasqa malware variants

Screenshot 2023 12 11 at 9.04.14 AM

AgentTesla, rhajk and nasqa malware variants (third example)

The chain of infection using CVE-2020-14883:

Chain of infection using CVE-2020-14883:

Activity Trends

The following graph shows recent activity attributed to the 8220 gang, all of which was mitigated by Imperva Cloud WAF. The group appears to be opportunistic when selecting their targets, with no clear trend in country or industry. Imperva Threat Research observed the group attacking healthcare, telecommunications, and financial services targets in the United States, South Africa, Spain, Columbia, and Mexico. The 8220 gang appears to use custom tools written in Python to launch their attack campaigns, and the attacking IPs—located in the US, Mexico and Russia—are associated with known hosting companies.

Recently mitigated 8220 Gang activity

Imperva Mitigation

At the time of writing, Imperva Cloud WAF and on-prem WAF mitigates all of the web vulnerabilities known to be leveraged by the 8220 gang for their malicious activities. Recent vulnerabilities detected by Imperva and leveraged by the group include:

Conclusion

The 8220 gang, a widely recognized threat actor driven by financial motives, has been under scrutiny by various research teams since 2017. The group relies on simple, publicly available exploits to target well-known vulnerabilities and exploit easy targets to achieve their objectives. While considered unsophisticated, they are constantly evolving their tactics and techniques to evade detection. 

Throughout our investigation, we observed that attributing attacks to this group was relatively straightforward due to their consistent use of easily traceable IoCs and TTPs, frequently reusing the same IP addresses, web servers, payloads, and attack tools. 

Despite the group’s lack of sophistication, it remains critical for enterprises to promptly patch their applications and implement multiple layers of security measures to safeguard against falling victim to such groups. Imperva Threat Research will maintain its vigilance in monitoring the activities of this and other threat actors, and ensuring security for our customers.

Latest 8220 gang IoCs

URLs

8220 gang IoCs - URLs

Source IPs

8220 gang IoCs - Source IPs

Malicious file hashes

8220 gang malicious hash files used

Source: https://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/