Hadooken carries a cryptominer and hyperlinks to ransomware
One of many payloads saved inside Hadooken is a cryptocurrency mining program that’s deployed in three totally different places on the system: /usr/bin/crondr, /usr/bin/bprofr and /mnt/-java. Cryptominers are a standard technique of monetizing compromised servers.
Hadooken’s second payload is a DDoS bot consumer often called Tsunami, Amnesia, or Muhstik. This malware has been round since not less than 2020 in several variants, however the Aqua researchers haven’t seen attackers truly making use of it on this marketing campaign after it was deployed. They speculate it might be a part of a later stage of the assault.
One of many IP addresses from the place Hadooken was downloaded has been related prior to now with campaigns by TeamTNT and Gang8220, however this hyperlink will not be sturdy sufficient to help any attribution for this new marketing campaign. Totally different teams of cybercriminals can use the identical digital server internet hosting firms at totally different occasions.