Microsoft Security Intelligence Center is warning Linux users that a popular malware that is used to target the platform has received “notable updates.” The malware in question targets Linux servers and installs cryptomining malware onto systems.
In a blog post, Microsoft's security team says the “8220 gang” threat group has been using the malware recently. Specifically, to exploit a vulnerability in the Atlassian Confluence Server and Data Center. The bug at the center of this attack is tracked as CVE-2022-26134.
8220 gang has spent the last year updating its malware payloads and deployment techniques. Microsoft says the latest campaign shows more sophisticated attacks targeting the i686 and x86_64 Linux systems using the RCE exploits for the Atlassian Confluence flaw to access victims.
“The updates include the deployment of new versions of a cryptominer and an IRC bot, as well the use of an exploit for a recently disclosed vulnerability,” Microsoft warns.
We observed notable updates to the long-running malware campaign targeting Linux systems by a group known as the 8220 gang. The updates include the deployment of new versions of a cryptominer and an IRC bot, as well the use of an exploit for a recently disclosed vulnerability.
— Microsoft Security Intelligence (@MsftSecIntel) June 29, 2022
Spreading Threat
The Atlassian bug has been known about since June 2 when the company disclosed it. A week later it emerged the 8220 gang was already exploiting the vulnerability to target malware to Linux systems. Windows was also part of the attacks, with the exploit being used to place the script into PowerShell memory processes.
Once the threat actor has access by using the CVE-2022-26134 exploit, it installs a loader on the system that makes changes to configurations and shuts down security. It also places a cryptominer, generated a persistence on the affected network, and starts looking for other servers on the network to infect.
“The loader uses the IP port scanner tool “masscan” to find other SSH servers in the network, and then uses the GoLang-based SSH brute force tool “spirit” to propagate. It also scans the local disk for SSH keys to move laterally by connecting to known hosts,” Microsoft explains.
Tip of the day: For the most part, Windows apps are stable, but they can still be still thrown out of whack by updates or configuration issues. Many boot their PC to find their Microsoft Store isn't working or their Windows apps aren't opening. Luckily Windows 11 and Windows 10 have an automatic repair feature for apps that can resolve such issues.