Hadooken’s Comprehensive Analysis: A New Malware is Targeting Oracle WebLogic Servers

Hadooken, a newly discovered Linux malware, has been targeting Oracle WebLogic servers. It exploits weak credentials and vulnerabilities to launch a range of malicious activities, including cryptocurrency mining and deploying the Tsunami botnet.

A New Malware is Targeting Oracle WebLogic Servers: Hadooken’s Comprehensive Analysis

With its complex attack vectors, persistence mechanisms, and ability to evade detection, Hadooken is becoming a significant threat to enterprise environments, especially those running critical services on WebLogic servers. This article will provide a detailed technical analysis of the Hadooken malware, its components, attack methods, and how organizations can protect themselves.

Hadooken Malware: Key Components and Execution

The Hadooken malware operates in multiple stages, relying on two key scripts: a shell script © and a Python script (y). Both scripts are designed to achieve the same objectives, ensuring compatibility across different Linux environments. Once executed, these scripts initiate the download of Hadooken from remote servers and deploy additional malware components, including a cryptominer and the Tsunami botnet.

Shell Script c and Python Script y

Script c:

• Function: A shell script responsible for downloading the Hadooken malware and preparing the environment for its deployment. The script is designed to scan directories containing SSH data, including credentials and secrets, and leverage this information for lateral movement across the network.

Key Operations:

• Retrieves Hadooken from a remote server (IP addresses: 89.185.85[.]102 and 185.174.136[.]204).
• Scans /home and /root directories for SSH credentials.
• Uses the harvested credentials to attempt SSH brute-force attacks on connected systems.
• Executes the Hadooken malware and deletes itself to avoid detection.

Script y:

• Function: A Python-based alternative to the shell script, ensuring the malware can be deployed even if the shell script fails.

Key Operations:

• Similar to c, it downloads the Hadooken malware from remote servers and executes it.
• Targets SSH credentials and moves laterally across the network.

Malware Components

Once Hadooken is executed, it deploys two core components to perform its malicious activities:

1. Cryptocurrency Miner:

• Purpose: The miner hijacks the server’s computational resources to mine cryptocurrency, primarily targeting assets like Monero.
• File Locations: The cryptominer is dropped into three locations: /usr/bin/crondr, /usr/bin/bprofr, and /mnt/-java. It uses common Linux service names like -bash and -java to masquerade as legitimate system processes, making it harder to detect.
• MD5 Hash: The packed cryptominer’s hash is b9f096559e923787ebb1288c93ce2902, and after unpacking, the hash becomes 9bea7389b633c331e706995ed4b3999c​

2. Tsunami Botnet:

• Purpose: Tsunami (known as Kaiten) is a DDoS botnet and backdoor malware that allows attackers to control compromised systems remotely. Although it has not been actively used in all observed attacks, its presence suggests that it could be deployed in later stages for DDoS or further malware propagation.
• File Location: Tsunami is dropped into /tmp/<<random>>, further muddying its presence by generating random filenames.
• MD5 Hash: The MD5 hash of the Tsunami malware is 8eef5aa6fa9859c71b55c1039f02d2e6.

Persistence Mechanisms and Defense Evasion

Hadooken employs several tactics to ensure persistence and evade detection:

Cron Jobs: The malware creates multiple cron jobs with randomized names and varying execution intervals (e.g., hourly, daily, weekly, and monthly). These jobs repeatedly execute the cryptominer, ensuring it remains active after reboot or system reconfiguration. For example, cron jobs may be stored in /etc/cron.hourly, /etc/cron.daily, and /etc/cron.weekly with randomly generated filenames to avoid easy identification.

Example Cron Job Entry:

*/15 * * * * /usr/bin/crondr -bash

• Base64 Encoding: The malware payloads are encoded using Base64, a common technique to obfuscate malicious code from security scanners.
• Masquerading: As mentioned, Hadooken renames its processes to mimic legitimate system binaries like -bash and -java, making it difficult for administrators to distinguish between normal and malicious activities.
• Log Deletion: After execution, Hadooken deletes relevant system logs to cover its tracks. This step significantly complicates forensic analysis and makes it harder to identify the point of compromise.

How Does Tsunami Work with Hadooken?

Tsunami, an integral part of the Hadooken malware, primarily functions as a DDoS botnet and backdoor. It can launch brute-force attacks on SSH servers to infect additional systems and expand the botnet network. Tsunami allows remote attackers to control compromised servers and coordinate large-scale DDoS attacks. Using Tsunami alongside Hadooken adds a layer of versatility to the malware campaign, enabling attackers to disrupt services or hijack additional computational resources.

Hadooken Malware Components and Execution

The following tables will give you a comprehensive technical overview of Hadooken’s workings. The details cover file locations, persistence techniques, and hashes associated with the malware, providing insight into how the malware operates in compromised systems.

Hadooken Malware Components and Execution

Key Attack Techniques (Mapped to MITRE ATT&CK Framework)

Key Attack Techniques (Mapped to MITRE ATT&CK Framework)

Common Vulnerabilities in Oracle WebLogic Servers

Oracle WebLogic servers are frequently targeted due to several known vulnerabilities. These include:

• Weak Credentials: Poor password policies and default credentials allow brute-force attacks to succeed, as seen in the Hadooken campaign.
• Deserialization Vulnerabilities: WebLogic has historically been vulnerable to deserialization attacks, where malicious objects are sent to the server, leading to remote code execution (RCE).
• Exposed Administrative Consoles: Many WebLogic servers expose their administrative consoles to the internet without proper security controls, making them easy targets for attackers.

How to Protect Oracle WebLogic Servers from Hadooken

To defend against Hadooken, organizations should implement the following best practices:

1. Enforce Strong Passwords: Use complex, unique passwords for all administrative accounts. Consider implementing multi-factor authentication (MFA) for added security.
2. Apply Patches and Updates: Ensure WebLogic servers
3. have the latest security patches. Oracle regularly releases Critical Patch Updates (CPUs) to address known vulnerabilities.
4. Limit Console Access: Restrict access to the WebLogic administrative console by configuring firewalls and network segmentation. Only trusted IP addresses should be able to access these consoles.
5. Monitor for Unusual Activity: Regularly review system logs and monitor for abnormal activity, such as unknown cron jobs or unexpected resource usage. Security tools that specialize in detecting cryptominers and DDoS botnets should be deployed.
6. Harden SSH Access: Secure SSH access by using key-based authentication and turning off password-based authentication where possible. Regularly rotate SSH keys to prevent unauthorized access.

Other Malware Strains Linked to Hadooken

Static analysis of the Hadooken binary has revealed potential connections to the following ransomware families:

• RHOMBUS: This ransomware has been linked to Hadooken but has not yet been deployed in observed attacks. Future versions of the malware may incorporate this ransomware as an additional payload.
• NoEscape: Similar to RHOMBUS, NoEscape is another ransomware strain that could be introduced in future iterations of Hadooken.
• Mallox: A PowerShell script associated with Hadooken has been found to distribute the Mallox ransomware on Windows systems, suggesting that the threat actors target both Linux and Windows environments.

Conclusion

Hadooken is a sophisticated malware campaign that combines cryptocurrency mining, DDoS attacks, and lateral movement across networks. Its ability to exploit weak credentials and maintain persistence through cron jobs and log deletion makes it a potent threat to organizations using Oracle WebLogic servers. By understanding the malware’s technical intricacies and implementing robust security measures, organizations can protect themselves from Hadooken and similar attacks.

To mitigate this evolving threat, organizations should focus on securing their WebLogic environments, applying regular patches, and continuously monitoring for signs of compromise.

Research Credit:

his article’s technical insights and analysis are grounded in significant contributions from security researchers, with notable credit to Aqua Security’s Nautilus Research Team. Aqua Security played a pivotal role in discovering and analyzing the Hadooken malware campaign. The detailed reports shed light on the malware’s components, including its deployment of cryptominers and the Tsunami botnet, as well as the evasion techniques used to maintain persistence in compromised Oracle WebLogic environments. Aqua’s in-depth research has provided a critical understanding of the malware’s attack patterns, file structures, and defensive strategies.

Additional technical analysis, threat intelligence, and mappings to the MITRE ATT&CK framework further enhanced the understanding of Hadooken’s behavior. This work by Aqua Security has been instrumental in identifying the vulnerabilities in Oracle WebLogic servers that are being exploited by Hadooken, providing actionable insights to mitigate the threat.

For more detailed technical data, Aqua Security’s ongoing threat research can be accessed through their Aqua Security website.