In a recent discovery by researchers at Aqua Security, it has been found that the malware Hadooken carries a cryptominer as well as links to ransomware. This revelation sheds light on the evolving tactics used by cybercriminals to exploit compromised servers for financial gain.
The first payload found within Hadooken is a cryptocurrency mining program that is spread across three different locations on the system: /usr/bin/crondr, /usr/bin/bprofr, and /mnt/-java. Cryptominers have become a popular method for hackers to make money off of hijacked servers, as they can use the processing power of the infected systems to mine cryptocurrencies without the knowledge of the system owners.
The second payload discovered in Hadooken is a DDoS bot client known as Tsunami, Amnesia, or Muhstik. This particular malware has been in circulation since at least 2020, with various iterations appearing over the years. However, the researchers at Aqua have noted that the attackers behind this campaign have not yet utilized the DDoS capabilities of Tsunami after deploying it. Speculation suggests that this functionality may be reserved for a later stage in the attack.
Interestingly, one of the IP addresses linked to the download of Hadooken has been associated with previous campaigns by groups such as TeamTNT and Gang8220. Despite this connection, there is not enough evidence to definitively attribute this new campaign to any specific cybercriminal organization. It is common for different groups to utilize the services of the same virtual server hosting companies at different times, making it difficult to pinpoint the origin of such attacks.
Overall, the discovery of Hadooken and its malicious payloads underscores the ongoing threat posed by cybercriminals to organizations and individuals alike. As hackers continue to develop new methods for monetizing compromised servers, it is imperative for cybersecurity professionals to remain vigilant and proactive in defending against such attacks. The collaboration between security researchers and industry stakeholders will be crucial in staying one step ahead of these evolving threats.