Aqua Nautilus researchers identified Hadooken, a Linux malware targeting WebLogic servers that gains initial access via weak credentials, drops Tsunami, and deploys a cryptominer. The post details the malware’s components, attack flow, detection methods, and IOCs, highlighting the need to harden WebLogic and cloud-native deployments. #Hadooken #WebLogic #Tsunami #Mallox #RHOMBUS #NoEscape #TeamTNT #Gang8220
Keypoints
- Hadooken targets WebLogic servers by exploiting weak passwords for initial access.
- The malware drops a Tsunami malware and a cryptominer upon execution.
- Two payloads are used: a shell script and a Python script to execute the payloads.
- Persistence is maintained via cron jobs, and logs are cleared to evade detection.
- IOCs include specific IP addresses and MD5 hashes for Hadooken, Mallox, and related components.
- The attack underscores the need to secure WebLogic servers against misconfigurations and vulnerabilities.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploiting vulnerable WebLogic servers by taking advantage of weak credentials to gain access. “Exploiting vulnerable WebLogic servers by taking advantage of weak credentials to gain access.”
- [T1059.004] Command and Scripting Interpreter – Unix Shell – The use of shell script (‘c’) for malicious execution. “The use of shell script (`c`) for malicious execution.”
- [T1059.006] Command and Scripting Interpreter – Python – The use of Python script (‘y’) for malicious execution. “The Python script (‘y’), is attempting to download a malware called Hadooken…”
- [T1059.001] Command and Scripting Interpreter – PowerShell – PowerShell script `b.ps1` used to distribute malware (Mallox ransomware). “PowerShell script `b.ps1` used to distribute malware (Mallox ransomware).”
- [T1543.003] Create or Modify System Process – Cron – Use of cron jobs to maintain persistence by executing malicious payloads periodically. “Use of cron jobs to maintain persistence by executing malicious payloads periodically.”
- [T1036.004] Masquerading – Task or Service – Use of known names such as -java, -bash. “Use of known names such as -java, -bash.”
- [T1027] Obfuscated Files or Information – Use of base64-encoded payloads to avoid detection. “Use of base64-encoded payloads to avoid detection.”
- [T1070] Indicator Removal on Host – Deleting logs after executing malicious activities. “Deleting logs after executing malicious activities.”
- [T1110] Brute Force – Initial access gained via successful brute force into the Weblogic administration panel. “Initial access gained via successful brute force into the Weblogic administration panel.”
- [T1571] Remote Service Session Hijacking – SSH Hijacking – Iterating over SSH keys to move laterally across the network. “Iterating over SSH keys to move laterally across the network.”
- [T1496] Resource Hijacking – Running a cryptominer as part of the Hadooken malware. “Running a cryptominer as part of the Hadooken malware.”
- [T1486] Data Encrypted for Impact – Potential use of ransomware like RHOMBUS and NoEscape in future versions of the attack. “Potential use of ransomware like RHOMBUS and NoEscape in future versions of the attack.”
Indicators of Compromise
- [IOC Type] IP Addresses context – 89.185.85.102, 185.174.136.204 (Attacker IPs)
- [IOC Type] Binary file context – MD5: cdf3fce392df6fbb3448c5d26c8d053e, Mallox-related MD5: 4a12098c3799ce17d6d59df86ed1a5b6, Packed Cryptominer MD5: b9f096559e923787ebb1288c93ce2902, Unpacked Cryptominer MD5: 9bea7389b633c331e706995ed4b3999c, Tsunami malware MD5: 8eef5aa6fa9859c71b55c1039f02d2e6
- [IOC Type] Powershell context – MD5: c1897ea9457343bd8e73f98a1d85a38f (b.ps1)
- [IOC Type] Shell script context – MD5: 249871cb1c396241c9fcd0fd8f9ad2ae (c)
- [IOC Type] Python script context – MD5: 73d96a4316182cd6417bdab86d4df1fc (y)
Read more: https://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/