Hadooken Malware

Cybersecurity experts have discovered a new malware campaign aimed at Linux systems, focusing on illegal cryptocurrency mining and spreading botnet malware. This campaign explicitly targets the Oracle Weblogic servers, delivering a malware variant named Hadooken. Once executed, Hadooken installs the Tsunami malware and launches a crypto miner. The attack exploits well-known vulnerabilities and system misconfigurations, such as weak credentials, to gain initial access and run arbitrary code on vulnerable instances.

The Attack Chain of the Hadooken Malware

This attack involves deploying two nearly identical payloads: one written in Python and the other as a shell script. Both are responsible for fetching the Hadooken malware from remote servers ('89.185.85.102' or '185.174.136.204').

The shell script version additionally scans directories containing SSH data, such as user credentials, host details, and secrets, leveraging this information to target known servers. It then moves laterally within the network or connected environments, spreading the Hadooken malware further.

Hadooken consists of two main components: a cryptocurrency miner and a Distributed Denial-of-Service (DDoS) botnet known as Tsunami (aka Kaiten). The malware has a history of attacking Jenkins and Weblogic services in Kubernetes clusters. The malware also ensures persistence on the infected host by creating cron jobs to run the crypto miner at varying intervals.

To evade detection, Hadooken employs several tactics, including Base64-encoded payloads, disguising miner payloads with innocuous names like 'bash' and 'java' to blend in with legitimate processes, and deleting artifacts after execution to cover any traces of its harmful activity.

Connections to Cybercrime Groups

Cybersecurity researchers have identified the IP address 89.185.85.102 as being registered in Germany under the hosting company Aeza International LTD (AS210644). In February 2024, this IP was linked to a cryptocurrency campaign by the 8220 Gang, which exploited vulnerabilities in Apache Log4j and Atlassian Confluence Server and Data Center.

The second IP address, 185.174.136.204, though currently inactive, is also associated with Aeza Group Ltd. (AS216246). As noted in July 2024, Aeza is a bulletproof hosting provider with operations in Moscow M9 and two data centers in Frankfurt. Aeza's rapid growth and operational model are attributed to its recruitment of young developers connected to Russian bulletproof hosting services, which provide safe havens for cybercriminal activities.