Full Report
Researchers discovered a new Linux malware named "Hadooken" that specifically targets Oracle WebLogic servers. The malware exploits weak passwords to gain access and then deploys both Tsunami malware and a cryptominer. The attack flow involves using a combination of shell and ...
Analysis Summary
# Tool/Technique: Hadooken Malware
## Overview
Hadooken is a newly discovered Linux malware specifically designed to target Oracle WebLogic servers. Its primary function is to compromise these servers by exploiting weak passwords, executing further stages of malware (Tsunami and a cryptominer), and ensuring persistence.
## Technical Details
- Type: Malware family
- Platform: Linux
- Capabilities: Weak password exploitation, lateral movement via SSH data iteration, persistence via cron jobs, log clearing, delivery of secondary payloads (Tsunami, cryptominer).
- First Seen: Unknown (Discovered around September 12, 2024)
## MITRE ATT&CK Mapping
(Note: Direct mappings for Hadooken based on reported actions)
- **TA0001 - Initial Access**
- T1110 - Brute Force
- T1110.003 - Password Guessing
- T1190 - Exploit Public-Facing Application (Implied by targeting misconfigured WebLogic)
- **TA0003 - Persistence**
- T1545 - Event Triggered Execution
- T1545.003 -\_Cron Job
- **TA0005 - Defense Evasion**
- T1070 - Indicator Removal
- T1070.001 -\_Indicator Removal: Clear OS Log
- **TA0008 - Lateral Movement**
- T1021 - Remote Services
- T1021.001 -\_Remote Services: SSH
- **TA0011 - Command and Control** (Implied by secondary malware deployment)
- T1105 - Ingress Tool Transfer (for downloading Tsunami/Cryptominer)
## Functionality
### Core Capabilities
- Exploits weak passwords on Oracle WebLogic servers for initial access and Remote Code Execution (RCE).
- Downloads and executes itself using a combination of shell and Python scripts.
- Deploys secondary malware payloads, specifically Tsunami and a cryptominer.
- Establishes persistence mechanisms using randomly named cron jobs.
### Advanced Features
- **Lateral Movement:** Iterates over SSH directories (`.ssh/`) to gather information and move laterally to other known servers.
- **Defense Evasion:** Actively clears system logs to obscure its activity.
- **Multi-Stage Payload Delivery:** Drops multiple components in non-persistent directories under names like `-java` and `-bash`.
- **Future Payload Potential:** The context mentions potentially setting the stage for Mallox ransomware deployment (though Mallox itself is listed as an "Observed tool," not confirmed deployed by Hadooken in this summary).
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: `-java`, `-bash` (used for dropped malware components)
- Registry Keys: [Not applicable for Linux scope, potentially system files/directories instead]
- Network Indicators: [C2 information for Tsunami/Cryptominer not detailed beyond general download activity]
- Behavioral Indicators: Execution of shell/Python scripts for initial download; creation of new cron jobs; deletion of system logs; scanning of SSH directories.
## Associated Threat Actors
- Unknown (Listed as Unknown in the provided context)
## Detection Methods
- Signature-based detection: YARA rules targeting specific strings/patterns related to the downloaded shell/Python scripts.
- Behavioral detection: Monitoring for unauthorized execution of scripts originating from WebLogic processes, unexpected cron job creation, and mass log clearing events.
- YARA rules if available: [Not provided in context]
## Mitigation Strategies
- Prevention measures: Enforce strong, unique passwords across all systems, especially administrative interfaces like Oracle WebLogic console.
- Hardening recommendations: Implement network segmentation; restrict outbound network connections from application servers; audit and restrict cron job creation permissions; ensure WebLogic is patched against known vulnerabilities.
## Related Tools/Techniques
- **Tsunami:** A secondary malware payload deployed by Hadooken (likely a known backdoor/botnet component).
- **Mallox (or similar ransomware):** Mentioned as a potential future deployment target/stage.
- **Cryptominer:** The specific cryptomining software is not named but is a key functional component.