Aqua Nautilus researchers identified a new Linux malware targeting Weblogic servers. The main payload calls itself Hadooken, a potential reference to the Hadouken attack (or “surge fist”) in the Street Fighter video game series. When Hadooken is executed, it drops a Tsunami malware and deploys a cryptominer. In this article, we explain the malware, its components, and how it was detected.
About Oracle Weblogic server
WebLogic Server is an enterprise-level Java EE application server developed by Oracle, used for building, deploying, and managing large-scale, distributed applications. It’s commonly used in banking, e-commerce, and business-critical systems due to its support for Java technologies, transaction management, and scalability. However, WebLogic is a frequent target for cyberattacks due to vulnerabilities such as deserialization flaws and improper access controls. Misconfigurations, like weak credentials or exposed admin consoles, can lead to remote code execution (RCE), privilege escalation, and data breaches if not properly patched or secured.
The Hadooken Attack Details: targeting SSH directories
Hadooken malware gains access to WebLogic servers by exploiting weak credentials, allowing attackers to achieve remote code execution. Upon breaching the server, the malware is deployed through a combination of a shell script (‘c’) and a Python script (‘y’). These scripts work together to download and execute the Hadooken malware, enabling it to move laterally within the network by targeting SSH directories.
Once installed, Hadooken drops two key components:
Cryptominer: The malware installs a cryptominer under several randomized paths on the server to mine cryptocurrency, utilizing the server’s processing power.
Tsunami malware: Known for its distributed-denial-of-service capabilities, Tsunami is also deployed but has not been actively used in the observed attacks.
The malware’s operations are designed to evade detection. It disguises its malicious processes under names mimicking legitimate services, such as ‘-bash’ or ‘-java’ and clears system logs to hide its activities.
Hadooken attack overview. Source: Aquasec
Indicators of Compromise and Attribution
The Hadooken malware uses two known IP addresses for its distribution. The first, 89.185.85.102, is active and registered in Germany, with previous links to cybercriminal groups like TeamTNT and Gang 8220. The second, 185.174.136.204, was registered in Russia but is no longer active. However, researchers have yet to definitively attribute this malware campaign to any specific group due to insufficient evidence.
Static analysis of Hadooken has shown connections to RHOMBUS and NoEscape ransomware families. Although no ransomware activity has been observed in these attacks, it is speculated that ransomware may be deployed in future operations or under specific conditions.
Broader Implications
Oracle WebLogic servers are widely used in various sectors, including finance, telecommunications, and government, making them valuable targets for attackers seeking to leverage their resources for cryptomining and other malicious purposes. Given the popularity of these servers, organizations should remain vigilant, especially as Hadooken may evolve or expand its capabilities.
Strengthening the security of WebLogic servers through improved password policies, regular patching, and proactive monitoring is essential to mitigate the risks posed by threats like Hadooken. You can run risk assessments to know any risks ahead of time: contact us to learn more.