Hackers Using k4spreader Tool To Install DDoS Botnet And Miners
A brand contemporary ELF malware instrument named k4spreader, written in Cgo by the Chinese “8220” (Water Sigbin) mining gang, modified into as soon as stumbled on in June 2024.
Filled with a modified UPX packer, k4spreader installs other malware, including the Tsunami DDoS botnet and PwnRig cryptominer.
The multi-variant instrument (3 variants observed) demonstrates persistence, self-replace, and compile functionalities and is doubtless detached under pattern.
It has been spreading by exploiting the vulnerabilities CVE_2020_14882, JBoss_AS_3456_RCE, and YARN_API_RCE, where passive DNS prognosis revealed C&C servers linked to k4spreader also address traffic from other shell scripts and mining swimming pools belonging to the “8220” team, leading to a high quantity of job.
The most full of life C&C servers are dw.c4kdeliver.top (290,000 hits), speed.sck-dns.ws (230,000 hits) and (220,000 hits).
K4spreader is a malware written in CGO that utilizes a modified UPX packer to evade detection by static antivirus application, reveals persistence, self-replace capabilities, and injects malicious payloads like Tsunami and PwnRig.
The latest version (v3) strengthens its evasion programs by adding functionalities like logging and detecting runtime ports, highlighting the evolving nature of k4spreader, where every version witnesses an extend in its practical complexity.
The analysis by Xlab describes three programs for reaching machine persistence all the way in which by reboots, where the most considerable way modifies the particular person’s bash startup file (.bash_profile) to reproduction a program (klibsystem4) to a machine directory (/bin/klibsystem4) after which executes it.
The second way creates a machine provider script (/etc/init.d/knlib) that copies klibsystem4 and runs it within the background, while the third way creates a systemd provider file (/etc/systemd/machine/knlibe.provider) that achieves the same functionality because the second way.
Every body of these three approaches requires the replacement of “knlib” or “klibsystem4” with “dpkg-deb-kit” within the updated version.
Malware dropper k4spreader hides malicious packages just like the Tsunami botnet and PwnRig miner inner its data, which embedded recordsdata are stored in a built-in ELF desk and released upon execution the utilization of the k4spreader_utils_ExecuteEmbeddedBin() characteristic.
The desk structure lets in for the easy addition of future malware. Tsunami (bi.64) is an IRC bot susceptible for DDoS assaults, while PwnRig (bin.64) is a miner for Monero cryptocurrency, whose dropper methodology by the “8220” gang has been observed since May perhaps well perhaps 2021.
It’s miles a instrument that can perhaps well well be at risk of disable firewall and iptables ideas, eradicate suspicious processes and scheduled tasks, and log its operation put, which is carried out by disabling the firewall, flushing iptables ideas, and clearing the ld.so.preload file, striking off cron jobs containing malicious key phrases, killing processes by their route of ID or title, and logging their operation put.
The malware downloads a shell version of itself (a file named 2.gif) from the C2 server (IP 185.172.128.146) for execution, exhibiting the same functionalities because the distinctive k4spreader excluding for now not deploying pre-encoded malicious recordsdata.
Source credit : cybersecuritynews.com