Cybersecurity researchers have uncovered a brand new malware marketing campaign concentrating on Linux environments to conduct illicit cryptocurrency mining and ship botnet malware.
The exercise, which particularly singles out the Oracle Weblogic server, is designed to ship a malware pressure dubbed Hadooken, in line with cloud safety agency Aqua.
“When Hadooken is executed, it drops a Tsunami malware and deploys a crypto miner,” safety researcher Assaf Moran mentioned.
The assault chains exploit identified safety vulnerabilities and misconfigurations, comparable to weak credentials, to acquire an preliminary foothold and execute arbitrary code on prone cases.
That is completed by launching two nearly-identical payloads, one written in Python and the opposite, a shell script, each of that are accountable for retrieving the Hadooken malware from a distant server (“89.185.85[.]102” or “185.174.136[.]204”).
“As well as, the shell script model makes an attempt to iterate over varied directories containing SSH knowledge (comparable to consumer credentials, host info, and secrets and techniques) and makes use of this info to assault identified servers,” Morag mentioned.
“It then strikes laterally throughout the group or related environments to additional unfold the Hadooken malware. “
Hadooken comes embedded with two parts, a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet known as Tsunami (aka Kaiten), which has a historical past of concentrating on Jenkins and Weblogic providers deployed in Kubernetes clusters.
Moreover, the malware is accountable for establishing persistence on the host by creating cron jobs to run the crypto miner periodically at various frequencies.
Hadooken’s protection evasion capabilities are realized via a mix of ways that contain the usage of Base64-encoded payloads, dropping the miner payloads underneath innocuous names like “bash” and “java” to mix in with official processes, and artifact deletion after execution to cover any indicators of malicious exercise.
Aqua famous that the IP tackle 89.185.85[.]102 is registered in Germany underneath the internet hosting firm Aeza Worldwide LTD (AS210644), with a earlier report from Uptycs in February 2024 linking it to an 8220 Gang cryptocurrency marketing campaign that abused flaws in Apache Log4j and Atlassian Confluence Server and Knowledge Heart.
The second IP tackle 185.174.136[.]204, whereas at the moment inactive, can be linked to Aeza Group Ltd. (AS216246). As highlighted by Qurium and EU DisinfoLab in July 2024, Aeza is a bulletproof internet hosting service supplier with a presence in Moscow M9 and in two knowledge facilities in Frankfurt.
“The modus operandi of Aeza and its quick development could be defined by the recruitment of younger builders affiliated to bulletproof internet hosting suppliers in Russia providing shelter to cybercrime,” the researchers mentioned within the report.
