hos is this malware acquired?
Good question. The article is rather light on details.
Microsoft Warns of '8220 Group' Targeting Linux Servers
... [T]he names of the group come from the port number 8220 used by the miner to communicate with the C2 servers....
https://www.cysecurity.news/2022/07/microsoft-warns-of-8220-group-targeting.html
How is this malware acquired?
Step 1: Stand up a C2 server.
Step 2: Doesn't matter unless you've stood up a C2 (command & control) server.
It comes via a “dropper” Bob. Same as with MS Trojans. The user has to click something. This is why I use NoScript for websurfing. It reduces the chance of loading malicious scripts and droppers from websites, the other methods are already known as safe practice to prevent it.
“A dropper is a small helper program that facilitates the delivery and installation of malware. Spammers and other bad actors use droppers to circumvent the signatures that anti-virus programs use to block or quarantine malicious code. It’s much easier to change the dropper, should its signature become recognized, than it would be to rewrite the malicious codebase.
“Droppers, like many of their larger Trojan horse counterparts, can be persistent or non-persistent. Non-persistent droppers install malware and then automatically remove themselves. Persistent droppers copy themselves to a hidden file and stay there until they complete the task they were created for.
Droppers can be spread by people who:
Open an infected e-mail attachment.
Pick up a drive-by download on an infected website.
Click on a malicious link in an email or on a website.
Using an infected flash drive.
Sometimes droppers are bundled with free utility programs (such as ad blockers) to avoid detection by antivirus software. When the free program executes, the dropper will first download and install malware before it unpacks and installs the legitimate utility.”
https://www.techtarget.com/whatis/definition/dropper