A new cryptomining campaign infects WebLogic servers with the Hadooken malware

One of the features stored within Hadooken is a cryptocurrency mining system that is distributed across three different areas of the system: /usr/bin/crondr, /usr/bin/bprofr again /mnt/-java. Cryptominers are a common way to monetize compromised servers.

Hadooken’s second installment is a DDoS bot client known as Tsunami, Amnesia, or Muhstik. This malware has been around since at least 2020 in different forms, but Aqua researchers have never seen attackers using it in this campaign after it was released. They think it could be part of the latest phase of the attack.

One of the IP addresses from which Hadooken was downloaded has been associated in the past with campaigns by TeamTNT and Gang8220, but this link is not strong enough to support any attribution to this new campaign. Different groups of hackers may use the same hosting companies at different times.


Source link