'Hadooken' Malware Targets Oracle's WebLogic Servers

A threat actor is dropping a cryptominer and distributed denial-of-service (DDoS) malware on Oracle WebLogic Servers using "Hadooken."

Researchers at Aqua Nautilus spotted the malware when it hit one of their honeypots last month. Their subsequent analysis showed Hadooken to be the main payload in an attack chain that began with the threat actor brute-forcing its way into the administration panel of Aqua's weakly protected WebLogic honeypot. It appears Hadooken's authors named the malware after the iconic Surge Fist move in the Street Fighter series of video games.

Once inside the Aqua system, the attacker downloaded Hadooken to it using two nearly functionally identical scripts — a Python script and a "c" shell script — with one likely acting as a backup for the other. Aqua found both scripts designed to run Hadooken on the compromised honeypot and to then delete the file.

"In addition, the shell script version attempts to iterate over various directories containing SSH data (such as user credentials, host information, and secrets) and uses this information to attack known servers," Aqua's lead researcher, Assaf Morag, said in a report. "It then moves laterally across the organization or connected environments to further spread the Hadooken malware."

A Valuable Target

Oracle's WebLogic Server allows customers to build and deploy Java applications. Thousands of organizations — including some of the world's largest banking and financial services companies, professional services firms, healthcare entities, and manufacturing companies — have deployed WebLogic. These deployments include modernizing their Java enterprise application environment, deploying Java apps in the cloud, and building Java microservices. Critical vulnerabilities, including those that have enabled complete takeover of WebLogic Server, have made the technology a frequent target for attacks over the years. Configuration errors, such as weak passwords and Internet-exposed admin consoles, have exacerbated the risks around the platform.

In Aqua's honeypot attack, the threat actor gained initial access to the WebLogic server by brute-forcing past the security vendor's deliberately weak password. Hadooken then dropped two executable files: Tsunami, a malware used in numerous DDoS attacks going back at least a decade; and a cryptominer. In addition, Aqua found the malware creating multiple cron jobs — which schedule commands or scripts to run automatically at specific intervals or times — to maintain persistence on the compromised system.

Potential for More Trouble

Aqua's analysis showed no sign of the adversary actually using Tsunami in the attack, but the security vendor didn't rule out the possibility of that happening at a later stage. Equally likely is the possibility that the attacker could tweak Hadooken relatively easily to target other Linux platforms, Morag tells Dark Reading. "At the moment we've only seen indications the attackers are brute-forcing their way to WebLogic Servers," Morag says. "But based on other attacks and campaigns, we assume the attackers won't limit themselves to WebLogic."

It's also likely that the attackers won't limit themselves to cryptocurrency and DDoS malware in future Hadooken campaigns. Aqua's static analysis of the malware showed links in the code to Rhombus and NoEscape ransomware, but no actual use of the code during the attack on its honeypot. Aqua found the threat actor using two IP addresses, one in Germany and the other in Russia, to download Hadooken on compromised systems. The German IP address is one that two other threat groups — TeamTNT and Gang 8220 — have used in previous campaigns, but there is nothing to suggest they are linked to the Hadooken campaign, Aqua said.

The company recommends that organizations consider using mechanisms like infrastructure-as-code scanning tools, cloud security posture management tools, Kubernetes security and configuration tools, runtime security tools, and container security tools to mitigate threats like Hadooken.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!