HomeWinBuzzer NewsMicrosoft Security Intelligence Center Warns Linux-Targeting Malware Is Now More Powerful

Microsoft Security Intelligence Center Warns Linux-Targeting Malware Is Now More Powerful

Microsoft Security Intelligence Center says improved malware is targeting Linux systems through an Atlassian Confluence bug exploit.


Security Intelligence Center is warning Linux users that a popular malware that is used to target the platform has received “notable updates.” The malware in question targets servers and installs cryptomining malware onto systems.

In a blog post, Microsoft's security team says the “8220 gang” threat group has been using the malware recently. Specifically, to exploit a vulnerability in the Atlassian Confluence Server and Data Center. The bug at the center of this attack is tracked as CVE-2022-26134.

8220 gang has spent the last year updating its malware payloads and deployment techniques. Microsoft says the latest campaign shows more sophisticated attacks targeting the i686 and x86_64 Linux systems using the RCE for the Atlassian Confluence flaw to access victims.

“The updates include the deployment of new versions of a cryptominer and an IRC bot, as well the use of an exploit for a recently disclosed vulnerability,” Microsoft warns.

Spreading Threat

The Atlassian bug has been known about since June 2 when the company disclosed it. A week later it emerged the 8220 gang was already exploiting the vulnerability to target malware to Linux systems. Windows was also part of the attacks, with the exploit being used to place the script into PowerShell memory processes.

Once the threat actor has access by using the CVE-2022-26134 exploit, it installs a loader on the system that makes changes to configurations and shuts down security. It also places a cryptominer, generated a persistence on the affected network, and starts looking for other servers on the network to infect.

“The loader uses the IP port scanner tool “masscan” to find other SSH servers in the network, and then uses the GoLang-based SSH brute force tool “spirit” to propagate. It also scans the local disk for SSH keys to move laterally by connecting to known hosts,” Microsoft explains. 

Tip of the day: For the most part, Windows apps are stable, but they can still be still thrown out of whack by updates or configuration issues. Many boot their PC to find their Microsoft Store isn't working or their Windows apps aren't opening. Luckily and Windows 10 have an automatic repair feature for apps that can resolve such issues.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News