A new Linux malware has been observed targeting Oracle WebLogic servers to deploy additional malware and extract credentials for lateral movement, Aqua Security’s Nautilus research team warns.
Called Hadooken, the malware is deployed in attacks that exploit weak passwords for initial access. After compromising a WebLogic server, the attackers downloaded a shell script and a Python script, meant to fetch and run the malware.
Both scripts have the same functionality and their use suggests that the attackers wanted to make sure that Hadooken would be successfully executed on the server: they would both download the malware to a temporary folder and then delete it.
Aqua also discovered that the shell script would iterate through directories containing SSH data, leverage the information to target known servers, move laterally to further spread Hadooken within the organization and its connected environments, and then clear logs.
Upon execution, the Hadooken malware drops two files: a cryptominer, which is deployed to three paths with three different names, and the Tsunami malware, which is dropped to a temporary folder with a random name.
According to Aqua, while there has been no indication that the attackers were using the Tsunami malware, they could be leveraging it at a later stage in the attack.
To achieve persistence, the malware was seen creating multiple cronjobs with different names and various frequencies, and saving the execution script under different cron directories.
Further analysis of the attack showed that the Hadooken malware was downloaded from two IP addresses, one registered in Germany and previously associated with TeamTNT and Gang 8220, and another registered in Russia and inactive.
On the server active at the first IP address, the security researchers discovered a PowerShell file that distributes the Mallox ransomware to Windows systems.
“There are some reports that this IP address is used to disseminate this ransomware, thus we can assume that the threat actor is targeting both Windows endpoints to execute a ransomware attack, and Linux servers to target software often used by big organizations to launch backdoors and cryptominers,” Aqua notes.
Static analysis of the Hadooken binary also revealed connections to the Rhombus and NoEscape ransomware families, which could be introduced in attacks targeting Linux servers.
Aqua also discovered over 230,000 internet-connected Weblogic servers, most of which are protected, save from a few hundred Weblogic server administration consoles that “may be exposed to attacks that exploit vulnerabilities and misconfigurations”.