Malware, Threat Intelligence

Oracle WebLogic servers subjected to novel Hadooken malware attacks

Share
Privacy concept: pixelated words Malware on digital background, 3d render

Numerous attacks with the new Linux malware dubbed "Hadooken" have been deployed against Oracle WebLogic servers during the past few weeks, The Register reports.

After achieving initial server access via weak passwords, threat actors proceeded to launch a pair of scripts to retrieve the Hadooken malware, which features not only a cryptocurrency miner but also the Tsunami distributed denial-of-service botnet, according to a report from Aqua Security. Despite the lack of evidence showing the execution of Tsunami, Hadooken has already been leveraged to facilitate persistence and credential and secret theft. Further analysis revealed that Hadooken has been using an IP address previously associated with the Gang 8820 and TeamTNT operations, as well as had binaries tied to the NoEscape and RHOMBUS ransomware payloads. "...[W]e can assume that the threat actors [are] targeting ... Windows endpoints to execute a ransomware attack, but also Linux servers to target software often used by big organizations to launch backdoors and cryptominers," said Aqua Security Lead Data Analyst Assaf Morag.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.