Numerous attacks using the new Linux malware dubbed "Hadooken" have been deployed against Oracle WebLogic servers during the past few weeks, The Register reports.
After achieving initial server access via weak passwords, threat actors launched a pair of scripts to retrieve the Hadooken malware, which features not only a cryptocurrency miner but also the Tsunami distributed denial-of-service botnet, according to a report from Aqua Security.
Despite the lack of evidence showing the execution of Tsunami, Hadooken has already been leveraged to facilitate persistence and credential and secret theft. Further analysis revealed that Hadooken has been using an IP address previously associated with the Gang 8820 and TeamTNT operations, as well as binaries tied to the NoEscape and RHOMBUS ransomware payloads.
"...[W]e can assume that the threat actors [are] targeting ... Windows endpoints to execute a ransomware attack, but also Linux servers to target software often used by big organizations to launch backdoors and cryptominers," said Aqua Security Lead Data Analyst Assaf Morag.