Cybersecurity researchers have discovered a new malware campaign targeting Linux environments to conduct illegal cryptocurrency mining.
The activity that makes the Oracle Weblogic server stand out is to deliver duplicate malware Hadukenaccording to cloud security firm Aqua.
“When Hadooken is launched, it removes the Tsunami malware and deploys a crypto miner,” security researcher Assaf Moran said.
Attack chains exploit known security system vulnerabilities and misconfigurations, such as weak credentials, to gain initial foothold and execute arbitrary code on sensitive instances.
This is achieved by running two almost identical payloads, one written in Python and the other a shell script, both of which are responsible for retrieving Hadooken malware from a remote server (“89.185.85(.)102“or”185.174.136(.)204“).
“Additionally, the shell script version tries to loop through various directories containing SSH data (such as user credentials, host information, and secrets) and uses this information to attack known servers,” Morag said.
“It then moves throughout the organization or connected environments to further distribute the Hadooken malware.”
Hadooken comes with two components built-in: a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet called Tsunami (aka Kaiten) who has a history targeting Jenkins and Weblogic services deployed in Kubernetes clusters.
Additionally, the malware is responsible for establishing security on the host by creating cron jobs periodically run the crypto miner at different frequencies.
Aqua noted that the IP address 89.185.85(.)102 is registered in Germany to the hosting company Aeza International LTD (AS210644), with preliminary report by Uptycs in February 2024, linking it to cryptocurrency company 8220 Gang by exploiting vulnerabilities in Apache Log4j and Atlassian Confluence Server and Data Center.
A second IP address 185.174.136(.)204, while inactive, is also associated with Aeza Group Ltd. (AS216246). How highlighted Qurium and EU DisinfoLab July 2024 Aeza is a bulletproof hosting provider operating in Moscow M9 and two data centers in Frankfurt.
“Aeza’s working methods and its rapid growth can be explained by a recruitment of young developers linked to bulletproof hosting providers in Russia that offer shelter to cybercriminals,” the researchers said in a report.
