{ "id": "9931e168-cbda-44d5-86a0-7f217819ab67", "created_at": "2026-04-06T00:10:19.030957Z", "updated_at": "2026-04-10T03:38:19.253829Z", "deleted_at": null, "sha1_hash": "d6f8a407f5fc83783221d4ce2871324ae459d6c5", "title": "8220 Gang Uses Log4Shell Vulnerability to Install CoinMiner - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3154849, "plain_text": "8220 Gang Uses Log4Shell Vulnerability to Install CoinMiner - ASEC\r\nBy ATCP\r\nPublished: 2023-04-16 · Archived: 2026-04-02 11:20:09 UTC\r\nAhnlab Security Emergency response Center (ASEC) has recently confirmed that the 8220 Gang attack group is using the\r\nLog4Shell vulnerability to install CoinMiner in VMware Horizon servers. Among the systems targeted for the attack, there\r\nwere Korean energy-related companies with unpatched and vulnerable systems, hence being preyed upon by multiple\r\nattackers.\r\nLog4Shell (CVE-2021-44228) is both a remote code execution vulnerability and the Java-based logging utility Log4j\r\nvulnerability that can remotely execute a Java object in servers that use Log4j by including the remote Java object address in\r\nthe log message and sending it.\r\n1. 8220 Gang Attack Group\r\n8220 Gang is an attack group that targets vulnerable Windows / Linux systems. Their activities have been observed since\r\n2017. [1] The group has a tendency to install CoinMiner if it finds vulnerable systems.\r\nThe group targets not only global systems but also Korean ones. ASEC has introduced a case where the attack group abused\r\nthe Atlassian Confluence server vulnerability CVE-2022-26134 to attack Korean systems and install CoinMiner.\r\nIf the CVE-2022-26134 vulnerability attack succeeds, the following PowerShell command downloads and executes\r\nadditional PowerShell scripts and ultimately installs XMRig CoinMiner.\r\nFortinet recently revealed a case where 8220 Gang installed ScrubCrypt by exploiting Oracle Weblogic server\r\nvulnerabilities. [2] ScrubCrypt is a Crypter developed as .NET and provides a feature to install additional malware.\r\nAhnLab was able to identify the attack case introduced in Fortinet through the AhnLab Smart Defense (ASD) logs.\r\nScrubCrypt installed during the attack process ultimately installs XMRig CoinMiner, which is the final attack goal of 8220\r\nGang.\r\nhttps://asec.ahnlab.com/en/51568/\r\nPage 1 of 7\n\nASEC confirmed that the 8220 Gang group has recently been using Oracle Weblogic vulnerabilities as well as Log4Shell\r\nvulnerabilities to download ScrubCrypt. The malware ultimately installed through ScrubCrypt is XMRig CoinMiner, which\r\nis identical to previous cases.\r\n2. Log4Shell Attack Log\r\nEver since its reveal in December 2021, Log4Shell has been used by many attackers. Until recently, it was employed in\r\nattacks targeting global and Korean systems that were not patched and vulnerable to attacks.\r\nASEC has revealed attack cases where the Lazarus group used the vulnerability to spread NukeSped in 2022. The attackers\r\nused the log4j vulnerability on VMware Horizon products that were not applied with the security patch. [3] VMware\r\nHorizons are virtual desktop solutions, used mainly by companies for remote working solutions and cloud infrastructure\r\noperations.\r\nASEC has confirmed a log where the recently vulnerable ws_tomcatservice.exe process installed the CoinMiner malware. \r\nThe final malware installed through this attack process was XMRig CoinMiner, which is the malware used by 8220 Gang.\r\nThe detailed packet could not be identified, but judging from the attack log where the PowerShell command was executed\r\nby VMware Horizon’s ws_tomcatservice.exe process and the 8220 Gang’s tendency to attack unpatched systems using\r\nknown vulnerabilities, it is likely that the Log4Shell vulnerability mentioned earlier was used for the attack.\r\n3. Analysis of ScrubCrypt and XMRig CoinMiner\r\nhttps://asec.ahnlab.com/en/51568/\r\nPage 2 of 7\n\nAs mentioned in the Fortinet blog shown above, the PowerShell script downloaded and executed by a Log4Shell\r\nVulnerability attack is named “bypass.ps1”. The malware included inside is different, but the name and routine are mostly\r\nidentical.\r\n“bypass.ps1” is an obfuscated PowerShell script. You can find the following script by decoding it. The first line is a routine\r\nthat bypasses AMSI. The script then creates and executes the internally-included malware in the “%TEMP%PhotoShop-Setup-2545.exe” path after decoding it.\r\n“PhotoShop-Setup-2545.exe” is a .NET downloader malware that downloads and decodes encoded data from the following\r\naddress and injects it in RegAsm.exe.\r\nDownload URL: hxxp://77.91.84[.]42/Whkpws.png\r\nhttps://asec.ahnlab.com/en/51568/\r\nPage 3 of 7\n\nThe malware injected in the RegAsm process and executed is obfuscated, but judging from the similarities to the ScrubCrypt\r\nroutine introduced in the Fortinet post, it is probably a ScrubCrypt malware type. The ScrubCrypt used for the attack has 3\r\nC\u0026C URLs and 4 port numbers (58001, 58002, 58003, and 58004).\r\n179.43.155[.]202\r\nsu-95.letmaker[.]top\r\nsu95.bpdeliver[.]ru\r\nC\u0026C URLs of ScrubCrypt (RegAsm.exe)\r\nScrubCrypt connects to the C\u0026C server and downloads additional commands. A command to install XMRig CoinMiner has\r\nbeen confirmed in the current analysis environment.\r\n“deliver1.exex” is an injector malware that is downloaded and executed. It injects a different ScrubCrypt encoded and saved\r\nwithin the internal resources in MSBuild.exe. This ScrubCrypt type has 2 C\u0026C URLs and 4 port numbers (9090, 9091,\r\n9092, and 8444).\r\nhttps://asec.ahnlab.com/en/51568/\r\nPage 4 of 7\n\n179.43.155[.]202\r\nsu95.bpdeliver[.]ru\r\nC\u0026C URLs of ScrubCrypt (MSBuild.exe)\r\nScrubCrypt adds the following values to the registry: settings data used when executing XMRig (including the injection\r\ntarget process, mining pool address and wallet address, CoinMiner payload download URL), and encoded data files\r\n“plugin_3.dll” and “plugin_4.dll”.\r\n“plugin_4.dll” is an encoded .NET malware that operates in the memory after being decoded. Its function is to decode\r\n“plugin_3.dll” which is the encoded XMRig. It then injects “plugin_3.dll” into the normal process AddInProcess.exe\r\ndesignated in the settings data and executes it with the command line.\r\nhttps://asec.ahnlab.com/en/51568/\r\nPage 5 of 7\n\nMining Pool URL: 174.138.19[.]0:8080\r\nWallet Address:\r\n“46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGY\r\nPassword: “x”\r\nThe attacker’s Monero wallet address is identical to the address in the previously revealed Atlassian Confluence server\r\nvulnerability attack. It is also identical to the recent Oracle Weblogic server vulnerability attack case posted by Fortinet. The\r\n8220 Gang attack group has consistently been using an identical wallet address.\r\n4. Conclusion\r\nThe attack group known as 8220 Gang installs XMRig CoinMiner to mine Monero coins in vulnerable systems that are not\r\npatched. There have been cases where the group targeted vulnerable Atlassian Confluence servers. Recently, it has been\r\nusing the Log4Shell vulnerabilities in VMware Horizon servers.\r\nAdministrators must check if their current VMware servers are susceptible and apply the latest patches to prevent\r\nvulnerability attacks. They should also use security programs such as firewalls for servers accessible from outside to restrict\r\naccess by attackers. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in\r\nadvance.\r\nFile Detection\r\n– Downloader/PowerShell.Generic (2023.04.17.02)\r\n– Downloader/PowerShell.Generic (2023.04.17.02)\r\n– Downloader/Win.Agent.R572121 (2023.04.16.01)\r\n– CoinMiner/Win.XMRig.C5411888 (2023.04.16.01)\r\nBehavior Detection\r\n– Execution/MDP.Powershell.M2514\r\nMD5\r\n2748c76e21f7daa0d41419725af8a134\r\n851d4ab539030d2ccaea220f8ca35e10\r\nbd0312d048419353d57068f5514240dc\r\nd63be89106d40f7b22e5c66de6ea5d65\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//163[.]123[.]142[.]210/bypass[.]ps1\r\nhttps://asec.ahnlab.com/en/51568/\r\nPage 6 of 7\n\nhttp[:]//174[.]138[.]19[.]0[:]8080/\r\nhttp[:]//77[.]91[.]84[.]42/Whkpws[.]png\r\nhttp[:]//77[.]91[.]84[.]42/bypass[.]ps1\r\nhttp[:]//77[.]91[.]84[.]42/deliver1[.]exe\r\nAdditional IOCs are available on AhnLab TIP.\r\nFQDN\r\nsu-95[.]letmaker[.]top\r\nsu95[.]bpdeliver[.]ru\r\nAdditional IOCs are available on AhnLab TIP.\r\nIP\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner\r\nbelow.\r\nSource: https://asec.ahnlab.com/en/51568/\r\nhttps://asec.ahnlab.com/en/51568/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/51568/" ], "report_names": [ "51568" ], "threat_actors": [ { "id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7", "created_at": "2023-06-23T02:04:34.839947Z", "updated_at": "2026-04-10T02:00:04.99239Z", "deleted_at": null, "main_name": "8220 Gang", "aliases": [ "8220 Mining Group", "Returned Libra", "Water Sigbin" ], "source_name": "ETDA:8220 Gang", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "942c5fbc-31df-4aef-8268-e3ccf6692ec8", "created_at": "2024-07-09T02:00:04.434476Z", "updated_at": "2026-04-10T02:00:03.671196Z", "deleted_at": null, "main_name": "Water Sigbin", "aliases": [ "8220 Gang" ], "source_name": "MISPGALAXY:Water Sigbin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434219, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d6f8a407f5fc83783221d4ce2871324ae459d6c5.pdf", "text": "https://archive.orkl.eu/d6f8a407f5fc83783221d4ce2871324ae459d6c5.txt", "img": "https://archive.orkl.eu/d6f8a407f5fc83783221d4ce2871324ae459d6c5.jpg" } }