New cryptomining campaign infects WebLogic servers with Hadooken malware

A new attack campaign compromises misconfigured Oracle WebLogic servers and deploys a backdoor program called Hadooken along with a cryptocurrency mining program, apparently to take advantage of weak administrative passwords and gain access, according to researchers from Aqua Security.

Oracle WebLogic is a Java application server that’s used by many businesses to build and deploy enterprise applications. Its popularity and widespread use have made it a target for attackers over the years, both through remote code execution vulnerabilities as well as misconfigurations.

“A search in Shodan (a search engine for finding internet-connected devices and systems) suggests that there are over 230K internet-connected WebLogic servers,” Aqua said in their report. “A further analysis shows that most of them are protected, which is very good. We saw a few hundred internet-connected WebLogic server administration consoles. These may be exposed to attacks that exploit vulnerabilities and misconfigurations.”

How the Hadooken backdoor works

The Aqua researchers detected the attack campaign after it hit their honeypot servers, allowing them to observe the full attack chain. After the initial access was gained through a weak password, the attackers executed two scripts: A shell script called “c” and a Python script called “y.”

Both scripts have similar functionality so the researchers speculate that the Python script is an alternative in case the shell script fails to execute for some reason. Both of them download and execute a file named “hadooken” as a second-stage payload. This is a backdoor program that sets up persistence and is used to deploy additional payloads that are contained within itself instead of downloading them.

The shell script that deploys Hadooken also exhibits worming behavior. First, it reads various directories that contain SSH information such as credentials, keys and servers and then uses that information to try to deploy Hadooken on other systems.

Hadooken carries a cryptominer and links to ransomware

One of the payloads stored inside Hadooken is a cryptocurrency mining program that is deployed in three different locations on the system: /usr/bin/crondr, /usr/bin/bprofr and /mnt/-java. Cryptominers are a common method of monetizing compromised servers.

Hadooken’s second payload is a DDoS bot client known as Tsunami, Amnesia, or Muhstik. This malware has been around since at least 2020 in different variants, but the Aqua researchers haven’t seen attackers actually making use of it in this campaign after it was deployed. They speculate it could be part of a later stage of the attack.

One of the IP addresses from where Hadooken was downloaded has been associated in the past with campaigns by TeamTNT and Gang8220, but this link is not strong enough to support any attribution for this new campaign. Different groups of cybercriminals can use the same virtual server hosting companies at different times.

The researchers did however find a PowerShell script on one of the servers used to deliver Hadooken and that script was designed to deploy a Windows ransomware program called Mallox.

“There are some reports that this IP address is used to disseminate this ransomware, thus we can assume that the threat actor is targeting both Windows endpoints to execute a ransomware attack, but also Linux servers to target software often used by big organizations to launch backdoors and cryptominers,” the Aqua researchers said. During their analysis of the Hadooken binary, the researchers also found some possible links to the RHOMBUS dropper and the NoEscape ransomware, which has a variant for Linux. Although these files were not dropped in the honeypot attack analyzed by Aqua it’s possible that these attackers are deploying ransomware on both Windows and Linux systems.