Adrian Johnson
TLDR:
- A new Linux malware campaign is exploiting Oracle Weblogic to mine cryptocurrency and deliver botnet malware.
- The malware, dubbed Hadooken, drops a Tsunami malware and deploys a crypto miner when executed.
Cybersecurity researchers have uncovered a new malware campaign targeting Linux environments to conduct illicit cryptocurrency mining and deliver botnet malware. The activity, which specifically singles out the Oracle Weblogic server, is designed to deliver a malware strain dubbed Hadooken,” according to cloud security firm Aqua. The attack chains exploit known security vulnerabilities and misconfigurations, such as weak credentials, to obtain an initial foothold and execute arbitrary code on susceptible instances. Hadooken comes embedded with two components, a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet called Tsunami, which has a history of targeting Jenkins and Weblogic services deployed in Kubernetes clusters. The malware is responsible for establishing persistence on the host by creating cron jobs to run the crypto miner periodically at varying frequencies. Hadooken’s defense evasion capabilities involve the use of Base64-encoded payloads, dropping the miner payloads under innocuous names like “bash” and “java” to blend in with legitimate processes, and artifact deletion after execution to hide any signs of malicious activity.
