Researchers discovered a new Linux malware named "Hadooken" that specifically targets Oracle WebLogic servers. The malware exploits weak passwords to gain access and then deploys both Tsunami malware and a cryptominer. The attack flow involves using a combination of shell and Python scripts to download and execute the Hadooken malware, iterating over SSH data to move laterally within the network, and employing cron jobs for persistence. Additionally, Hadooken clears logs to avoid detection and potentially sets the stage for future ransomware deployment.
The attack targets Oracle WebLogic Server, a widely used enterprise-level Java EE application server. Due to its common use in sectors like banking and e-commerce, WebLogic often becomes a target for cyberattacks, especially when vulnerabilities and misconfigurations, such as weak credentials or exposed admin consoles, are present. In this case, the attack begins by exploiting a weak password to gain remote code execution on the server.
Once access is gained, malicious shell and Python scripts are executed to download and run the Hadooken malware in non-persistent directories. This malware includes both Tsunami malware and a cryptominer, which are dropped into multiple paths under various names, such as -java and -bash. The attack involves creating cron jobs with random names to maintain persistence, allowing periodic execution of the cryptominer. Additionally, the attack iterates over SSH directories to gather data and attack known servers, enabling lateral movement across the network. The attackers also delete logs to evade detection.