Cybersecurity researchers have uncovered a brand new malware marketing campaign concentrating on Linux environments to conduct illicit cryptocurrency mining.
The exercise, which particularly singles out the Oracle Weblogic server, is designed to ship malware dubbed Hadooken, in accordance with cloud safety agency Aqua.
“When Hadooken is executed, it drops a Tsunami malware and deploys a crypto miner,” safety researcher Assaf Moran stated.
The assault chains exploit identified safety vulnerabilities and misconfigurations, equivalent to weak credentials, to acquire an preliminary foothold and execute arbitrary code on prone cases.
That is achieved by launching two nearly-identical payloads, one written in Python and the opposite, a shell script, each of that are chargeable for retrieving the Hadooken malware from a distant server (“89.185.85[.]102” or “185.174.136[.]204“).
“In addition, the shell script version attempts to iterate over various directories containing SSH data (such as user credentials, host information, and secrets) and uses this information to attack known servers,” Morag stated.
“It then moves laterally across the organization or connected environments to further spread the Hadooken malware. “
Hadooken comes embedded with two parts, a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet referred to as Tsunami (aka Kaiten), which has a historical past of concentrating on Jenkins and Weblogic providers deployed in Kubernetes clusters.
Moreover, the malware is chargeable for establishing persistence on the host by creating cron jobs to run the crypto miner periodically at various frequencies.
Aqua famous that the IP deal with 89.185.85[.]102 is registered in Germany underneath the internet hosting firm Aeza Worldwide LTD (AS210644), with a earlier report from Uptycs in February 2024 linking it to an 8220 Gang cryptocurrency marketing campaign by abusing flaws in Apache Log4j and Atlassian Confluence Server and Knowledge Middle.
The second IP deal with 185.174.136[.]204, whereas at present inactive, can also be linked to Aeza Group Ltd. (AS216246). As highlighted by Qurium and EU DisinfoLab in July 2024, Aeza is a bulletproof internet hosting service supplier with a presence in Moscow M9 and in two knowledge facilities in Frankfurt.
“The modus operandi of Aeza and its fast growth can be explained by the recruitment of young developers affiliated to bulletproof hosting providers in Russia offering shelter to cybercrime,” the researchers stated within the report.
