Hadooken Malware Becomes a Growing Threat to WebLogic Infrastructure
Threat Group: Unclear attribution, though linked to prior infrastructure used by TeamTNT and 8220 Gang.
Threat Type: Cryptominer and Botnet, with potential future ransomware connections.
Exploited Vulnerabilities: Weak credentials and misconfigured Oracle WebLogic servers.
Malware Used: Hadooken (deploys both a cryptominer and Tsunami botnet).
Threat Score: High (7.5/10) — Due to the potential for cross-platform attacks, its ability to maintain persistence, and links to future ransomware threats.
Last Threat Observation: September 14, 2024, by Aqua Security.
Overview
The Hadooken Malware is a newly discovered Linux-based malware that primarily targets Oracle WebLogic servers. First observed in September 2024, it is designed to exploit weak credentials and misconfigurations to gain access and deliver a cryptominer alongside a Tsunami DDoS botnet. Researchers have also found potential connections to RHOMBUS and NoEscape ransomware, though no active deployment of ransomware has been observed so far.
The malware spreads by exploiting vulnerabilities in WebLogic servers and uses cron jobs to establish persistence while moving laterally across networks through SSH credential theft.
Key Details
- Target Environment: Primarily Linux WebLogic servers, though hints of Windows activity exist.
- Cryptomining: Hadooken installs a cryptominer under various aliases to obfuscate its presence on infected systems.
- Botnet: Deploys Tsunami, a DDoS botnet, targeting WebLogic and Jenkins services.
- Persistence Mechanism: Utilizes cron jobs with randomly generated names for continuous execution.
- Lateral Movement: Exploits SSH data to move across systems in the network.
- Future Ransomware Links: Static analysis indicates ties to RHOMBUS and NoEscape ransomware strains.
Attack Vectors
- Initial Access: The attacker gains access by exploiting weak or default credentials in public-facing WebLogic administration panels.
- Execution: Shell and Python scripts are used to download and deploy Hadooken from external servers.
- Persistence: Cron jobs are set up to periodically run the malware, disguised as legitimate processes such as
-bash
and-java
. - Lateral Movement: The malware scans for SSH keys and credentials to propagate across systems.
- Defense Evasion: Base64-encoded payloads are used to avoid detection, and logs are deleted to hide traces of malicious activity.
Known Indicators of Compromise (IoCs)
- IP Addresses:
- 89.185.85.102 (active, Germany, linked to Aeza International LTD)
- 185.174.136.204 (inactive, linked to Russia-based Aeza Group Ltd)
- MD5 Hashes:
- Cryptominer: b9f096559e923787ebb1288c93ce2902
- Unpacked Cryptominer: 9bea7389b633c331e706995ed4b3999c
- Tsunami Malware: 8eef5aa6fa9859c71b55c1039f02d2e6
- File Paths:
/usr/bin/crondr
/usr/bin/bprofr
/mnt/-java
/tmp/<<random>>
(Tsunami malware)
Mitigation and Prevention
- Credential Hardening: Ensure strong passwords and disable default credentials for all WebLogic administrative interfaces.
- Patch Management: Regularly update Oracle WebLogic and other vulnerable software to prevent known exploits.
- Network Monitoring: Set up alerts to detect the known IoCs, including suspicious IP addresses, file hashes, and file paths.
- Restrict SSH Access: Limit SSH access and monitor for unusual SSH-related activities, such as lateral movement attempts.
- Advanced Endpoint Detection: Deploy security solutions that can detect and mitigate cryptomining and botnet behaviors.
Conclusion
The Hadooken Malware is a significant threat to enterprises running Oracle WebLogic servers. Its combination of cryptomining, DDoS botnet capabilities, and potential ransomware connections makes it a high-risk threat. To mitigate this risk, organizations should prioritize hardening credentials, applying patches promptly, and monitoring their systems for indicators of compromise.
Sources
- Aqua Security – Hadooken Malware Targets Weblogic Applications
https://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications - The Register – Hadooken Linux malware targets Oracle WebLogic servers
https://www.theregister.com/2024/09/13/hadooken-linux-malware-targets-weblogic/ - Red Secure Tech – New Hadooken Malware Targets Linux Servers for Cryptomining and Botnet
https://www.redsecuretech.co.uk/blog/hadooken-malware-targets-linux-servers/