Ahnlab Security Emergency response Center (ASEC) has recently confirmed that the 8220 Gang attack group is using the Log4Shell vulnerability to install CoinMiner in VMware Horizon servers. Among the systems targeted for the attack, there were Korean energy-related companies with unpatched and vulnerable systems, hence being preyed upon by multiple attackers.
Log4Shell (CVE-2021-44228) is both a remote code execution vulnerability and the Java-based logging utility Log4j vulnerability that can remotely execute a Java object in servers that use Log4j by including the remote Java object address in the log message and sending it.
1. 8220 Gang Attack Group
8220 Gang is an attack group that targets vulnerable Windows / Linux systems. Their activities have been observed since 2017.  The group has a tendency to install CoinMiner if it finds vulnerable systems.
The group targets not only global systems but also Korean ones. ASEC has introduced a case where the attack group abused the Atlassian Confluence server vulnerability CVE-2022-26134 to attack Korean systems and install CoinMiner.
If the CVE-2022-26134 vulnerability attack succeeds, the following PowerShell command downloads and executes additional PowerShell scripts and ultimately installs XMRig CoinMiner.
Fortinet recently revealed a case where 8220 Gang installed ScrubCrypt by exploiting Oracle Weblogic server vulnerabilities.  ScrubCrypt is a Crypter developed as .NET and provides a feature to install additional malware.
AhnLab was able to identify the attack case introduced in Fortinet through the AhnLab Smart Defense (ASD) logs. ScrubCrypt installed during the attack process ultimately installs XMRig CoinMiner, which is the final attack goal of 8220 Gang.
ASEC confirmed that the 8220 Gang group has recently been using Oracle Weblogic vulnerabilities as well as Log4Shell vulnerabilities to download ScrubCrypt. The malware ultimately installed through ScrubCrypt is XMRig CoinMiner, which is identical to previous cases.
2. Log4Shell Attack Log
Ever since its reveal in December 2021, Log4Shell has been used by many attackers. Until recently, it was employed in attacks targeting global and Korean systems that were not patched and vulnerable to attacks.
ASEC has revealed attack cases where the Lazarus group used the vulnerability to spread NukeSped in 2022. The attackers used the log4j vulnerability on VMware Horizon products that were not applied with the security patch.  VMware Horizons are virtual desktop solutions, used mainly by companies for remote working solutions and cloud infrastructure operations.
ASEC has confirmed a log where the recently vulnerable ws_tomcatservice.exe process installed the CoinMiner malware. The final malware installed through this attack process was XMRig CoinMiner, which is the malware used by 8220 Gang. The detailed packet could not be identified, but judging from the attack log where the PowerShell command was executed by VMware Horizon’s ws_tomcatservice.exe process and the 8220 Gang’s tendency to attack unpatched systems using known vulnerabilities, it is likely that the Log4Shell vulnerability mentioned earlier was used for the attack.
3. Analysis of ScrubCrypt and XMRig CoinMiner
As mentioned in the Fortinet blog shown above, the PowerShell script downloaded and executed by a Log4Shell Vulnerability attack is named “bypass.ps1”. The malware included inside is different, but the name and routine are mostly identical.
“bypass.ps1” is an obfuscated PowerShell script. You can find the following script by decoding it. The first line is a routine that bypasses AMSI. The script then creates and executes the internally-included malware in the “%TEMP%PhotoShop-Setup-2545.exe” path after decoding it.
“PhotoShop-Setup-2545.exe” is a .NET downloader malware that downloads and decodes encoded data from the following address and injects it in RegAsm.exe.
- Download URL: hxxp://77.91.84[.]42/Whkpws.png
The malware injected in the RegAsm process and executed is obfuscated, but judging from the similarities to the ScrubCrypt routine introduced in the Fortinet post, it is probably a ScrubCrypt malware type. The ScrubCrypt used for the attack has 3 C&C URLs and 4 port numbers (58001, 58002, 58003, and 58004).
ScrubCrypt connects to the C&C server and downloads additional commands. A command to install XMRig CoinMiner has been confirmed in the current analysis environment.
“deliver1.exex” is an injector malware that is downloaded and executed. It injects a different ScrubCrypt encoded and saved within the internal resources in MSBuild.exe. This ScrubCrypt type has 2 C&C URLs and 4 port numbers (9090, 9091, 9092, and 8444).
ScrubCrypt adds the following values to the registry: settings data used when executing XMRig (including the injection target process, mining pool address and wallet address, CoinMiner payload download URL), and encoded data files “plugin_3.dll” and “plugin_4.dll”.
“plugin_4.dll” is an encoded .NET malware that operates in the memory after being decoded. Its function is to decode “plugin_3.dll” which is the encoded XMRig. It then injects “plugin_3.dll” into the normal process AddInProcess.exe designated in the settings data and executes it with the command line.
- Mining Pool URL: 174.138.19[.]0:8080
- Wallet Address: “46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ”
- Password: “x”
The attacker’s Monero wallet address is identical to the address in the previously revealed Atlassian Confluence server vulnerability attack. It is also identical to the recent Oracle Weblogic server vulnerability attack case posted by Fortinet. The 8220 Gang attack group has consistently been using an identical wallet address.
The attack group known as 8220 Gang installs XMRig CoinMiner to mine Monero coins in vulnerable systems that are not patched. There have been cases where the group targeted vulnerable Atlassian Confluence servers. Recently, it has been using the Log4Shell vulnerabilities in VMware Horizon servers.
Administrators must check if their current VMware servers are susceptible and apply the latest patches to prevent vulnerability attacks. They should also use security programs such as firewalls for servers accessible from outside to restrict access by attackers. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.
– Downloader/PowerShell.Generic (2023.04.17.02)
– Downloader/PowerShell.Generic (2023.04.17.02)
– Downloader/Win.Agent.R572121 (2023.04.16.01)
– CoinMiner/Win.XMRig.C5411888 (2023.04.16.01)
– d63be89106d40f7b22e5c66de6ea5d65 : Oracle Weblogic Exploit PowerShell Downloader (bypass.ps1)
– 2748c76e21f7daa0d41419725af8a134 : Log4Shell PowerShell Downloader (bypass.ps1)
– 851d4ab539030d2ccaea220f8ca35e10 : Dotnet Downloader (PhotoShop-Setup-2545.exe)
– bd0312d048419353d57068f5514240dc : ScrubCrypt for CoinMiner (deliver1.exe)
– hxxp://163.123.142[.]210/bypass.ps1 : Oracle Weblogic Exploit PowerShell Downloader
– hxxp://77.91.84[.]42/bypass.ps1 : Log4Shell PowerShell Downloader
– hxxp://77.91.84[.]42/Whkpws.png : Dotnet Downloader
– hxxp://77.91.84[.]42/deliver1.exe : ScrubCrypt for CoinMiner
– hxxp://77.91.84[.]42/plugin_3.dll : Encoded XMRig
– hxxp://77.91.84[.]42/plugin_4.dll : Encoded Loader
– 179.43.155[.]202 : ScrubCrypt
– su-95.letmaker[.]top : ScrubCrypt
– su95.bpdeliver[.]ru : ScrubCrypt
– 174.138.19[.]0:8080 : XMRig Mining Pool
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.