8220 Gang uses botnet of around 30000 hosts to mine crypto

[PawGo]

8220 Mining Group, was first publicly reported in 2018. The name 8220 Gang comes from the group’s original use of port 8220 for C2 network communications.
Over the last month a crimeware has expanded their botnet to roughly 30,000 hosts globally through the use of Linux and common cloud application vulnerabilities and poorly secured configurations. In a recent campaign, the group was observed making use of a new version of the IRC botnet, PwnRig cryptocurrency miner (a custom version of the open source XMRig miner), and its generic infection script.

Some more data: https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/

[1715323603]

1715323603

[1715323603]

1715323603

[1715323603]

1715323603

[LoyceMobile]

I was always under the impression that the ddos botnets used millions of infected computers. Compared to that, I'm surprised this number is quite low.
I did the math recently on a Xeon server, and it should be able to mine just over a dollar per month. Still good business if you have 30000 computers wasting electricity without paying for it.

[NeuroticFish]

I did the math recently on a Xeon server, and it should be able to mine just over a dollar per month. Still good business if you have 30000 computers wasting electricity without paying for it.

Well, $30k per month is not that bad, after all.
And yeah, the number looks rather low, maybe the report didn't want to show overly big unverified number, especially as some of those computers most probably don't stay up 24/7 (however, since I do expect the numbers to be much bigger, I've done the math with those 30k computers running 24/7).

I've been preaching this many years ago: no matter what OS one is using, there must be tools you can keep on tray and show the CPU usage (I use that on both Windows and Linux). If one sees abnormally big and constant CPU usage, that must be investigated. Unfortunately few do that, few know how to look for that...

[Betwrong]

Is it possible to know whether or not your computer was infected? Also, what damage can be done to botnet participants by 8220 Gang, apart from using their CPU power? I mean, if it's just a small percentage, can someone be exploited for years, without knowing about it? Also, have I understood it correctly that only Linux platforms are affected?

Sorry if those are stupid questions, I'm far from being expert in this field, but I feel like I'd rather have some answers.

[PawGo]

Is it possible to know whether or not your computer was infected? Also, what damage can be done to botnet participants by 8220 Gang, apart from using their CPU power? I mean, if it's just a small percentage, can someone be exploited for years, without knowing about it? Also, have I understood it correctly that only Linux platforms are affected?

I suppose it should be visible on the list of processes running.
I did not investigate that kind of attack, but I will - maybe there are some information how to detect potentially suspicious behavior. For example - do they use 100% of the machine or maybe just 1 core, to stay quiet (many systems notify admin when load is high for a long period of time).

I think good configuration of firewall would be the first and basic step to avoid problems.

[buwaytress]

I was always under the impression that the ddos botnets used millions of infected computers. Compared to that, I'm surprised this number is quite low.
I did the math recently on a Xeon server, and it should be able to mine just over a dollar per month. Still good business if you have 30000 computers wasting electricity without paying for it.

Hmm, me too, and I'm almost 100% certain the massive botnet uncovered years ago had hundreds of millions of devices infected, even the one in the news last month had millions.

A dollar a month is a lot! There are those manual botnets (forget what they're called but it's a sweatshop running 100s of mobile phones literally taped to a wall) collecting cents a day and it's apparently still profitable.

[franky1]

these criminals dont use botnets/malware or webextensions to mine bitcoin. the hashrate vs reward is not worth it.

instead they do it to mine crapcoins that have current speculatively high prices compared to the underlying value(mining cost) thus if they are wasting $30k electric of hacked users electric. they probably making $90k on a crap coin that is speculating its price 3x above its crap coin cpu/gpu mining cost

[Lucius]

Bitcoin is not specifically mentioned anywhere, so I assume that the infected computer is mining some altcoins, as is the case with various crypto mining malware that targeted individual users (and they still do this today), although to a much lesser extent than a few years ago.

What interested me in the article was the use of fake government domains, one of which is an active domain of the Brazilian government. What exactly would that mean?

One of the notable features of PwnRig is the fake pool request for government domains. Early 2021 versions made use of fbi.gov; however, the latest version uses fbi.gov.br and 161.148.164.31. While the FBI subdomain is not real, the IP address is the active IP hosting the gov.br domain – the true Brazil federal government domain.

Is it possible to know whether or not your computer was infected?

Look at the end of the article: Indicators of Compromise

[DooMAD]

A hashrate as high as Bitcoin's effectively discourages the use of botnets.  They're simply not viable.  It only becomes an issue for Bitcoin when people start discussing potential future changes of mining algorithm.  It's a consideration people often forget to factor in, but one we should be mindful of should an algo switch ever become a necessity.

[LoyceMobile]

these criminals dont use botnets/malware or webextensions to mine bitcoin.

When I did the math, I checked for Monero. CPU mining combined with privacy features makes it the perfect coin for a botnet.

[franky1]

these criminals dont use botnets/malware or webextensions to mine bitcoin.

When I did the math, I checked for Monero. CPU mining combined with privacy features makes it the perfect coin for a botnet.

but monero has 'some' competing 'good miners' so the share of the ~430 a day coin. is not all going to end up in a botnets hands.

there are many crap coins, with no real block mining competiton. this most reward can go to a botnet/malware, whilst also being such an unknown crapcoin no one spots the abuse happening to care to even want to fight it..

there are some that make blocks in seconds (meaning far less than 10cent of CPU power to make a block) but had coins market rate at more then 3x of that cost.

it doesnt need to be coins worth $150 a coin at 430coin a day rate(like monero) to make it worth cheating people
scammers, hackers and just generally malicious people can do it on many coins.

30,000 botnets using a crap coin of 100 coins every 60 seconds where cpu cost is
0.04kwh electric
=0.02 per cpu/hour
=0.000333 per cpu/min
=0.00000333 per cpu/coin
=0.0999 per 30k botnet electric abuse per coin(not actual cost to hacker. but network underlying value cost per coin)

~$0.10 network value per coin, but coin market rate is $0.50 per coin meaning $50 a block(minute) meaning $72k a day, where botnet gets most of the coins per day thus most of that $72k without causing speculation fear/changes of prices
compared to monero $64.5k a day where botnet would get less share of that amount and would cause more speculation fear and drop price thus lose out more.

so yea there are many many crap coins that are not even worth a dollar each. but adding up how many coins are produced and the lack of competition meaning a botnet can get a large share of the daily coins means they can botnet/malware mine a few different crapcoins and net a nice hefty reward