Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New ‘Hadooken’ Linux Malware Targets WebLogic Servers

The recently observed Hadooken malware targeting Oracle WebLogic applications is linked to multiple ransomware families.

A new Linux malware has been observed targeting Oracle WebLogic servers to deploy additional malware and extract credentials for lateral movement, Aqua Security’s Nautilus research team warns.

Called Hadooken, the malware is deployed in attacks that exploit weak passwords for initial access. After compromising a WebLogic server, the attackers downloaded a shell script and a Python script, meant to fetch and run the malware.

Both scripts have the same functionality and their use suggests that the attackers wanted to make sure that Hadooken would be successfully executed on the server: they would both download the malware to a temporary folder and then delete it.

Aqua also discovered that the shell script would iterate through directories containing SSH data, leverage the information to target known servers, move laterally to further spread Hadooken within the organization and its connected environments, and then clear logs.

Upon execution, the Hadooken malware drops two files: a cryptominer, which is deployed to three paths with three different names, and the Tsunami malware, which is dropped to a temporary folder with a random name.

According to Aqua, while there has been no indication that the attackers were using the Tsunami malware, they could be leveraging it at a later stage in the attack.

To achieve persistence, the malware was seen creating multiple cronjobs with different names and various frequencies, and saving the execution script under different cron directories.

Further analysis of the attack showed that the Hadooken malware was downloaded from two IP addresses, one registered in Germany and previously associated with TeamTNT and Gang 8220, and another registered in Russia and inactive.

Advertisement. Scroll to continue reading.

On the server active at the first IP address, the security researchers discovered a PowerShell file that distributes the Mallox ransomware to Windows systems.

“There are some reports that this IP address is used to disseminate this ransomware, thus we can assume that the threat actor is targeting both Windows endpoints to execute a ransomware attack, and Linux servers to target software often used by big organizations to launch backdoors and cryptominers,” Aqua notes.

Static analysis of the Hadooken binary also revealed connections to the Rhombus and NoEscape ransomware families, which could be introduced in attacks targeting Linux servers.

Aqua also discovered over 230,000 internet-connected Weblogic servers, most of which are protected, save from a few hundred Weblogic server administration consoles that “may be exposed to attacks that exploit vulnerabilities and misconfigurations”.

Related: ‘CrystalRay’ Expands Arsenal, Hits 1,500 Targets With SSH-Snake and Open Source Tools

Related: Recent WebLogic Vulnerability Likely Exploited by Ransomware Operators

Related: Cyptojacking Attacks Target Enterprises With NSA-Linked Exploits

Related: New Backdoor Targets Linux Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.