Hadooken Malware Targets Weblogic Applications

Sept. 13, 2024, 9:26 a.m.

Description

Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat actors, including remote code execution, persistence mechanisms, and lateral movement. It also provides Indicators of Compromise (IOCs) and recommendations for detecting and mitigating such attacks.

External References

https://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/
https://otx.alienvault.com/pulse/66e40249549f860bcc1744d8
Tags
linux
backdoor
cryptocurrency
mallox
lateral movement
tsunami
2024-09-13
weblogic
hadooken

Date

  • Created: Sept. 13, 2024, 9:13 a.m.
  • Published: Sept. 13, 2024, 9:13 a.m.
  • Modified: Sept. 13, 2024, 9:26 a.m.

Indicators

  • 1fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5
  • 652f25d8f197ad00e4a64d1ad4066778e1bbc9a0e29faf09b90768c84f89c4ee
  • 185.174.136.204
  • 89.185.85.102
Download all indicators here!

Attack Patterns

  • Hadooken
  • Mallox
  • Tsunami