k4spreader

K4Spreader is a Linux-focused Go/CGO-based ELF installer/loader used by the China-linked 8220 Gang, also known as Water Sigbin, in cryptomining campaigns. It was reported as first seen in February 2024 and is described as a tool still under development, with multiple observed variants using modified UPX packing for evasion. Its primary role is to install additional malware, chiefly the Tsunami IRC-based DDoS botnet and the PwnRig Monero miner, either by downloading payloads from command-and-control infrastructure or by extracting embedded payloads from within the binary.

Observed capabilities include persistence, self-update, C2-driven tasking, payload download and execution, and release of embedded files to /tmp for execution. Persistence mechanisms described in the reporting include modification of .bash_profile to copy and execute itself from /bin/klibsystem4 or /bin/klibsystem5, use of chattr to toggle immutability on .bash_profile, creation of init.d and systemd services such as /etc/init.d/knlib and /etc/systemd/system/knlibe.service, and in newer variants renamed artifacts such as dpkg-deb-package and dpkg-deb-package.service. It also establishes cron-based persistence, including a job that periodically downloads and executes 2.gif, a shell-script variant with similar functionality, and d.py, a Python downloader that retrieves a newer K4Spreader binary from http://185.172.128.146:443/bin.

K4Spreader is reported to disable host defenses by running ufw disable, setting iptables policies to ACCEPT and flushing rules, and clearing /etc/ld.so.preload after removing immutability. It also attempts to remove competing malware by filtering crontab entries and killing suspicious processes, including rival miners such as Kinsing. Reporting also states that K4Spreader and the related Hadooken malware share infection routines that include disabling cloud protection tools, terminating competing miners, and lateral movement via SSH brute force.

Payload delivery observed in reporting includes downloads from http://185.172.128.146:443/bi.64 and http://185.172.128.146:443/bin.64, identified as Tsunami and PwnRig respectively. Newer variants reportedly retrieve base64+gzip-encoded JSON tasking from URLs such as http://run.sck-dns.ws/sys/index.php and http://run.sck-dns.cc/sys/index.php. Associated infrastructure mentioned in the content includes domains dw.c4kdeliver.top, run.sck-dns.ws, run.sck-dns.cc, c4k-ircd.pwndns.pw, pwn.oracleservice.top, run.on-demand.pw, and fbi.su1001-2.top, as well as IPs 185.172.128.146, 51.255.171.23, and 167.114.114.169.

The malware has been associated with exploitation of Oracle WebLogic vulnerabilities and other remote code execution paths, including CVE-2020-14882, CVE-2017-10271, CVE-2020-14883, JBoss_AS_3456_RCE, and YARN_API_RCE. Campaign reporting describes opportunistic targeting of vulnerable cloud environments, especially cloud hosting infrastructure, with many compromised systems observed in Oracle Cloud and a focus on targets in Asia and South America. The broader objective described is persistence and hijacking of compute resources for Monero mining, while Tsunami provides IRC-based remote control and DDoS capability. Reported Tsunami configuration and infrastructure include IRC channel #.br, password ircbot456@, and C2 endpoints c4k-ircd.pwndns.pw, pwn.oracleservice.top, and 51.255.171.23 over ports 80 and 443. Reported PwnRig infrastructure includes mining pool domains fbi.su1001-2.top and run.on-demand.pw on ports 80, 443, and 8080, and the Monero wallet 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ.