8220 Gang Uses Log4Shell Vulnerability to Install CoinMiner

Ahnlab Security Emergency response Center (ASEC) has recently confirmed that the 8220 Gang attack group is using the Log4Shell vulnerability to install CoinMiner in VMware Horizon servers. Among the systems targeted for the attack, there were Korean energy-related companies with unpatched and vulnerable systems, hence being preyed upon by multiple attackers.

Log4Shell (CVE-2021-44228) is both a remote code execution vulnerability and the Java-based logging utility Log4j vulnerability that can remotely execute a Java object in servers that use Log4j by including the remote Java object address in the log message and sending it.

1. 8220 Gang Attack Group

8220 Gang is an attack group that targets vulnerable Windows / Linux systems. Their activities have been observed since 2017. [1] The group has a tendency to install CoinMiner if it finds vulnerable systems.

The group targets not only global systems but also Korean ones. ASEC has introduced a case where the attack group abused the Atlassian Confluence server vulnerability CVE-2022-26134 to attack Korean systems and install CoinMiner.

If the CVE-2022-26134 vulnerability attack succeeds, the following PowerShell command downloads and executes additional PowerShell scripts and ultimately installs XMRig CoinMiner.

Figure 1. PowerShell command discovered from AhnLab log

Fortinet recently revealed a case where 8220 Gang installed ScrubCrypt by exploiting Oracle Weblogic server vulnerabilities. [2] ScrubCrypt is a Crypter developed as .NET and provides a feature to install additional malware.

AhnLab was able to identify the attack case introduced in Fortinet through the AhnLab Smart Defense (ASD) logs. ScrubCrypt installed during the attack process ultimately installs XMRig CoinMiner, which is the final attack goal of 8220 Gang.

Figure 2. PowerShell command log executed by an Oracle Weblogic vulnerability attack

ASEC confirmed that the 8220 Gang group has recently been using Oracle Weblogic vulnerabilities as well as Log4Shell vulnerabilities to download ScrubCrypt. The malware ultimately installed through ScrubCrypt is XMRig CoinMiner, which is identical to previous cases.

2. Log4Shell Attack Log

Ever since its reveal in December 2021, Log4Shell has been used by many attackers. Until recently, it was employed in attacks targeting global and Korean systems that were not patched and vulnerable to attacks.

ASEC has revealed attack cases where the Lazarus group used the vulnerability to spread NukeSped in 2022. The attackers used the log4j vulnerability on VMware Horizon products that were not applied with the security patch. [3] VMware Horizons are virtual desktop solutions, used mainly by companies for remote working solutions and cloud infrastructure operations.

ASEC has confirmed a log where the recently vulnerable ws_tomcatservice.exe process installed the CoinMiner malware.  The final malware installed through this attack process was XMRig CoinMiner, which is the malware used by 8220 Gang. The detailed packet could not be identified, but judging from the attack log where the PowerShell command was executed by VMware Horizon’s ws_tomcatservice.exe process and the 8220 Gang’s tendency to attack unpatched systems using known vulnerabilities, it is likely that the Log4Shell vulnerability mentioned earlier was used for the attack.

Figure 3. PowerShell executed through the ws_tomcatservice.exe process
Figure 4. PowerShell command log confirmed by AhnLab’s ASD infrastructure

3. Analysis of ScrubCrypt and XMRig CoinMiner

Figure 5. Malware process tree

As mentioned in the Fortinet blog shown above, the PowerShell script downloaded and executed by a Log4Shell Vulnerability attack is named “bypass.ps1”. The malware included inside is different, but the name and routine are mostly identical.

Figure 6. bypass.ps1 PowerShell Script

“bypass.ps1” is an obfuscated PowerShell script. You can find the following script by decoding it. The first line is a routine that bypasses AMSI. The script then creates and executes the internally-included malware in the “%TEMP%PhotoShop-Setup-2545.exe” path after decoding it.

Figure 7. Decoded PowerShell routine

“PhotoShop-Setup-2545.exe” is a .NET downloader malware that downloads and decodes encoded data from the following address and injects it in RegAsm.exe.

  • Download URL: hxxp://77.91.84[.]42/Whkpws.png
Figure 8. .Net downloader malware

The malware injected in the RegAsm process and executed is obfuscated, but judging from the similarities to the ScrubCrypt routine introduced in the Fortinet post, it is probably a ScrubCrypt malware type. The ScrubCrypt used for the attack has 3 C&C URLs and 4 port numbers (58001, 58002, 58003, and 58004).

Figure 9. C&C URLs of ScrubCrypt (RegAsm.exe)
C&C URLs of ScrubCrypt (RegAsm.exe)

ScrubCrypt connects to the C&C server and downloads additional commands. A command to install XMRig CoinMiner has been confirmed in the current analysis environment.

Figure 10. PowerShell command that installs XMRig CoinMiner

“deliver1.exex” is an injector malware that is downloaded and executed. It injects a different ScrubCrypt encoded and saved within the internal resources in MSBuild.exe. This ScrubCrypt type has 2 C&C URLs and 4 port numbers (9090, 9091, 9092, and 8444).

Figure 11. C&C URLs of ScrubCrypt (MSBuild.exe)
C&C URLs of ScrubCrypt (MSBuild.exe)
Figure 12. Malware download log confirmed in Fiddler

ScrubCrypt adds the following values to the registry: settings data used when executing XMRig (including the injection target process, mining pool address and wallet address, CoinMiner payload download URL), and encoded data files “plugin_3.dll” and “plugin_4.dll”.

Figure 13. Settings data and encoded files saved in the registry

“plugin_4.dll” is an encoded .NET malware that operates in the memory after being decoded. Its function is to decode “plugin_3.dll” which is the encoded XMRig. It then injects “plugin_3.dll” into the normal process AddInProcess.exe designated in the settings data and executes it with the command line.

Figure 14. Settings data for XMRig Miner injection
  • Mining Pool URL: 174.138.19[.]0:8080
  • Wallet Address: “46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ”
  • Password: “x”

The attacker’s Monero wallet address is identical to the address in the previously revealed Atlassian Confluence server vulnerability attack. It is also identical to the recent Oracle Weblogic server vulnerability attack case posted by Fortinet. The 8220 Gang attack group has consistently been using an identical wallet address.

4. Conclusion

The attack group known as 8220 Gang installs XMRig CoinMiner to mine Monero coins in vulnerable systems that are not patched. There have been cases where the group targeted vulnerable Atlassian Confluence servers. Recently, it has been using the Log4Shell vulnerabilities in VMware Horizon servers.

Administrators must check if their current VMware servers are susceptible and apply the latest patches to prevent vulnerability attacks. They should also use security programs such as firewalls for servers accessible from outside to restrict access by attackers. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.

File Detection
– Downloader/PowerShell.Generic (2023.04.17.02)
– Downloader/PowerShell.Generic (2023.04.17.02)
– Downloader/Win.Agent.R572121 (2023.04.16.01)
– CoinMiner/Win.XMRig.C5411888 (2023.04.16.01)

Behavior Detection
– Execution/MDP.Powershell.M2514


– d63be89106d40f7b22e5c66de6ea5d65 : Oracle Weblogic Exploit PowerShell Downloader (bypass.ps1)
– 2748c76e21f7daa0d41419725af8a134 : Log4Shell PowerShell Downloader (bypass.ps1)
– 851d4ab539030d2ccaea220f8ca35e10 : Dotnet Downloader (PhotoShop-Setup-2545.exe)
– bd0312d048419353d57068f5514240dc : ScrubCrypt for CoinMiner (deliver1.exe)

– hxxp://163.123.142[.]210/bypass.ps1 : Oracle Weblogic Exploit PowerShell Downloader
– hxxp://77.91.84[.]42/bypass.ps1 : Log4Shell PowerShell Downloader
– hxxp://77.91.84[.]42/Whkpws.png : Dotnet Downloader
– hxxp://77.91.84[.]42/deliver1.exe : ScrubCrypt for CoinMiner
– hxxp://77.91.84[.]42/plugin_3.dll : Encoded XMRig
– hxxp://77.91.84[.]42/plugin_4.dll : Encoded Loader

– 179.43.155[.]202 : ScrubCrypt
– su-95.letmaker[.]top : ScrubCrypt
– su95.bpdeliver[.]ru : ScrubCrypt
– 174.138.19[.]0:8080 : XMRig Mining Pool

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments

[…] by /u/montouesto [link] […]


[…] the 8220 Gang‘s tendency to maneuver realized susceptabilities in unpatched bodies, it is actually […]


[…] the 8220 Gang‘s propensity to manipulate acknowledged susceptabilities in unpatched techniques, this can be […]


[…] the 8220 Gang‘s propensity to manipulate acknowledged susceptabilities in unpatched methods, this can be very […]


[…] the 8220 Gang‘s propensity to manipulate acknowledged susceptabilities in unpatched methods, this can be very […]

7 months ago

[…] the 8220 Gang‘s tendency to exploit known vulnerabilities in unpatched systems, it is highly probable that […]


[…] the 8220 Gang‘s propensity to manipulate acknowledged susceptabilities in unpatched programs, this can be very […]


[…] container environments. Researchers have documented this group targeting Oracle WebLogic, Apache Log4j, Atlassian Confluence vulnerabilities, and misconfigured Docker containers to deploy cryptocurrency […]


[…] container environments. Researchers have documented this group targeting Oracle WebLogic, Apache Log4j, Atlassian Confluence vulnerabilities, and misconfigured Docker containers to deploy cryptocurrency […]