Summary:
Hadooken malware exploits weak passwords on Oracle WebLogic servers.
Aqua observed dozens of attacks but unclear if part of a larger campaign.
The malware features a cryptominer and Tsunami DDoS botnet.
Hadooken maintains persistence through cronjobs and can steal credentials.
Links to RHOMBUS and NoEscape ransomware strains were identified.
Overview of Hadooken Malware
An unknown attacker is exploiting weak passwords to infiltrate Oracle WebLogic servers and introduce a new Linux malware named Hadooken, as reported by Aqua, a cloud security firm.
Recent Attacks
According to Aqua's lead data analyst Assaf Morag, they have observed "a few dozen attacks over the past couple of weeks," although it remains unclear if these incidents are part of a larger campaign.
What is WebLogic?
WebLogic is a platform designed for running applications at an enterprise scale, commonly utilized by financial services, e-commerce, and other business-critical systems. It has a history of being abused due to various vulnerabilities.
Details of the Attack
Aqua's team detected the malware during an attack on a honeypot WebLogic server. The attacker gained access through a weak password and executed malicious code, including a shell script named "c" and a Python script named "y," which attempted to download Hadooken.
Features of Hadooken
- Cryptominer: Hadooken features a cryptominer, which is used to mine cryptocurrency without the owner's consent.
- Tsunami Malware: The malware also includes Tsunami, a DDoS botnet and backdoor, granting attackers full control over the infected machine. While Aqua has not seen evidence of Tsunami running, they speculate it may be deployed later.
- Persistence: Hadooken sets up multiple cronjobs to maintain its presence on the infected servers. It can also steal user credentials and other sensitive information for lateral movement to other servers.
Tracing the Malware
Aqua traced the malware back to two IP addresses, one linked to a UK-based hosting company, although there is no indication that the company is involved in any malware activities. Morag clarified that while TeamTNT and Gang 8220 have used this IP previously, it does not imply direct attribution.
Ransomware Links
The analysis of the Hadooken binary has suggested connections to RHOMBUS and NoEscape ransomware strains. This indicates that the threat actors might be targeting Windows endpoints for ransomware attacks while also focusing on Linux servers to deploy backdoors and cryptominers.
Comments