Hadooken carries a cryptominer and hyperlinks to ransomware
One of many payloads saved inside Hadooken is a cryptocurrency mining program that’s deployed in three completely different areas on the system: /usr/bin/crondr, /usr/bin/bprofr and /mnt/-java. Cryptominers are a standard technique of monetizing compromised servers.
Hadooken’s second payload is a DDoS bot shopper generally known as Tsunami, Amnesia, or Muhstik. This malware has been round since a minimum of 2020 in numerous variants, however the Aqua researchers haven’t seen attackers truly making use of it on this marketing campaign after it was deployed. They speculate it may very well be a part of a later stage of the assault.
One of many IP addresses from the place Hadooken was downloaded has been related previously with campaigns by TeamTNT and Gang8220, however this hyperlink shouldn’t be sturdy sufficient to assist any attribution for this new marketing campaign. Completely different teams of cybercriminals can use the identical digital server internet hosting firms at completely different occasions.
