info@thehackernews.com (The Hacker News)
2024-09-13 01:39:00
thehackernews.com
Cybersecurity researchers have uncovered a new malware campaign targeting Linux environments to conduct illicit cryptocurrency mining.
The activity, which specifically singles out the Oracle Weblogic server, is designed to deliver malware dubbed Hadooken, according to cloud security firm Aqua.
“When Hadooken is executed, it drops a Tsunami malware and deploys a crypto miner,” security researcher Assaf Moran said.
The attack chains exploit known security vulnerabilities and misconfigurations, such as weak credentials, to obtain an initial foothold and execute arbitrary code on susceptible instances.
This is accomplished by launching two nearly-identical payloads, one written in Python and the other, a shell script, both of which are responsible for retrieving the Hadooken malware from a remote server (“89.185.85[.]102” or “185.174.136[.]204“).
“In addition, the shell script version attempts to iterate over various directories containing SSH data (such as user credentials, host information, and secrets) and uses this information to attack known servers,” Morag said.
“It then moves laterally across the organization or connected environments to further spread the Hadooken malware. “
Hadooken comes embedded with two components, a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet called Tsunami (aka Kaiten), which has a history of targeting Jenkins and Weblogic services deployed in Kubernetes clusters.
Furthermore, the malware is responsible for establishing persistence on the host by creating cron jobs to run the crypto miner periodically at varying frequencies.
Aqua noted that the IP address 89.185.85[.]102 is registered in Germany under the hosting company Aeza International LTD (AS210644), with a previous report from Uptycs in February 2024 linking it to an 8220 Gang cryptocurrency campaign by abusing flaws in Apache Log4j and Atlassian Confluence Server and Data Center.
The second IP address 185.174.136[.]204, while currently inactive, is also linked to Aeza Group Ltd. (AS216246). As highlighted by Qurium and EU DisinfoLab in July 2024, Aeza is a bulletproof hosting service provider with a presence in Moscow M9 and in two data centers in Frankfurt.
“The modus operandi of Aeza and its fast growth can be explained by the recruitment of young developers affiliated to bulletproof hosting providers in Russia offering shelter to cybercrime,” the researchers said in the report.
Support Techcratic
If you find value in Techcratic’s insights and articles, consider supporting us with Bitcoin. Your support helps me, as a solo operator, continue delivering high-quality content while managing all the technical aspects, from server maintenance to blog writing, future updates, and improvements. Support Innovation! Thank you.
Bitcoin Address:
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge
Please verify this address before sending funds.
Bitcoin QR Code
Simply scan the QR code below to support Techcratic.
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.