New Malware Exploits Oracle Servers for Cryptomining

The attack on Oracle WebLogic begins with the deployment of two nearly identical payloads, written in Python and as a shell script, designed to execute Hadooken. These scripts infiltrate the system, download the malware, and spread it laterally across connected environments. The malware is also capable of collecting SSH credentials from targeted systems, enabling further breaches on other servers​.

Once Hadooken is deployed, it installs a cryptominer and a DDoS botnet named Tsunami, using the server's resources to mine cryptocurrency and potentially launch attacks on other systems. To remain undetected, the malware renames its processes to mimic legitimate ones like "bash" or "java" and wipes system logs to cover its tracks​.

Additionally, the Hadooken malware shows links to ransomware families such as RHOMBUS and NoEscape, indicating a potential for future ransomware deployment. While ransomware wasn't observed in the initial attacks, security experts believe it could be introduced later​.

More than 230,000 internet-connected WebLogic servers are exposed to this threat, making it crucial for organizations to strengthen their security measures, such as enforcing strong passwords and regularly updating software​.

What you can do

If your organization uses Oracle WebLogic servers, now is the time to review your security practices. Strengthen passwords and update all software to minimize vulnerabilities. Monitor system logs for unusual activity and processes disguised under names like "bash" or "java." These proactive measures can help prevent further exploitation of your systems and protect against future malware or ransomware campaigns​.