New Linux Malware Campaign Exploits Oracle Weblogic to Mine Cryptocurrency
Cybersecurity researchers have uncovered a new malware campaign targeting Linux environments to conduct illicit cryptocurrency mining.
The activity, which specifically singles out the Oracle Weblogic server, is designed to deliver malware dubbed Hadooken, according to cloud security firm Aqua.
"When Hadooken is executed, it drops a Tsunami malware and deploys a crypto miner," security researcher Assaf Moran said.
The attack chains exploit known security vulnerabilities and misconfigurations, such as weak credentials, to obtain an initial foothold and execute arbitrary code on susceptible instances.
This is accomplished by launching two nearly-identical payloads, one written in Python and the other, a shell script, both of which are responsible for retrieving the Hadooken malware from a remote server ("89.185.85[.]102" or "185.174.136[.]204").
"In addition, the shell script version attempts to iterate over various directories containing SSH data (such as user credentials, host information, and secrets) and uses this information to attack known servers," Morag said.
"It then moves laterally across the organization or connected environments to further spread the Hadooken malware. "
Hadooken comes embedded with two components, a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet called Tsunami (aka Kaiten), which has a history of targeting Jenkins and Weblogic services deployed in Kubernetes clusters.
Furthermore, the malware is responsible for establishing persistence on the host by creating cron jobs to run the crypto miner periodically at varying frequencies.
Aqua noted that the IP address 89.185.85[.]102 is registered in Germany under the hosting company Aeza International LTD (AS210644), with a previous report from Uptycs in February 2024 linking it to an 8220 Gang cryptocurrency campaign by abusing flaws in Apache Log4j and Atlassian Confluence Server and Data Center.
The second IP address 185.174.136[.]204, while currently inactive, is also linked to Aeza Group Ltd. (AS216246). As highlighted by Qurium and EU DisinfoLab in July 2024, Aeza is a bulletproof hosting service provider with a presence in Moscow M9 and in two data centers in Frankfurt.
"The modus operandi of Aeza and its fast growth can be explained by the recruitment of young developers affiliated to bulletproof hosting providers in Russia offering shelter to cybercrime," the researchers said in the report.
source: TheHackerNews
Free security scan for your website
Top News:
Google Chrome uses AI to analyze pages in new scam detection feature
December 21, 2024CISA orders federal agencies to secure Microsoft 365 tenants
December 18, 2024Recorded Future CEO applauds "undesirable" designation by Russia
December 19, 2024Five lesser known Task Manager features in Windows 11
December 25, 2024DDoS Attacks Surge as Africa Expands Its Digital Footprint
December 26, 2024