A new ELF malware tool named k4spreader, written in Cgo by the Chinese “8220” (Water Sigbin) mining gang, was discovered in June 2024.
Packed with a modified UPX packer, k4spreader installs other malware, including the Tsunami DDoS botnet and PwnRig cryptominer.
The multi-variant tool (3 variants observed) demonstrates persistence, self-update, and download functionalities and is likely still under development.
It has been spreading by exploiting the vulnerabilities CVE_2020_14882, JBoss_AS_3456_RCE, and YARN_API_RCE, where passive DNS analysis revealed C&C servers associated with k4spreader also handle traffic from other shell scripts and mining pools belonging to the “8220” group, resulting in a high volume of activity.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
The most active C&C servers are dw.c4kdeliver.top (290,000 hits), run.sck-dns.ws (230,000 hits) and (220,000 hits).
K4spreader is a malware written in CGO that utilizes a modified UPX packer to evade detection by static antivirus software, exhibits persistence, self-update capabilities, and injects malicious payloads like Tsunami and PwnRig.
The latest version (v3) strengthens its evasion techniques by adding functionalities like logging and detecting runtime ports, highlighting the evolving nature of k4spreader, where each version witnesses an increase in its functional complexity.
The research by Xlab describes three methods for achieving system persistence across reboots, where the first method modifies the user’s bash startup file (.bash_profile) to copy a program (klibsystem4) to a system directory (/bin/klibsystem4) and then executes it.
The second method creates a system service script (/etc/init.d/knlib) that copies klibsystem4 and runs it in the background, while the third method creates a systemd service file (/etc/systemd/system/knlibe.service) that achieves the same functionality as the second method.
Every one of these three approaches requires the replacement of “knlib” or “klibsystem4” with “dpkg-deb-package” in the updated version.
Malware dropper k4spreader hides malicious programs like the Tsunami botnet and PwnRig miner within its data, which embedded files are stored in a built-in ELF table and released upon execution using the k4spreader_utils_ExecuteEmbeddedBin() function.
The table structure allows for the easy addition of future malware. Tsunami (bi.64) is an IRC bot used for DDoS attacks, while PwnRig (bin.64) is a miner for Monero cryptocurrency, whose dropper technique by the “8220” gang has been observed since May 2021.
It is a tool that can be used to disable firewall and iptables rules, remove suspicious processes and scheduled tasks, and log its operation status, which is achieved by disabling the firewall, flushing iptables rules, and clearing the ld.so.preload file, removing cron jobs containing malicious keywords, killing processes by their process ID or name, and logging their operation status.
The malware downloads a shell version of itself (a file named 2.gif) from the C2 server (IP 185.172.128.146) for execution, exhibiting similar functionalities as the original k4spreader except for not deploying pre-encoded malicious files.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free