Hadooken carries a cryptominer and hyperlinks to ransomware
One of many payloads saved inside Hadooken is a cryptocurrency mining program that’s deployed in three totally different places on the system: /usr/bin/crondr, /usr/bin/bprofr and /mnt/-java. Cryptominers are a typical methodology of monetizing compromised servers.
Hadooken’s second payload is a DDoS bot consumer generally known as Tsunami, Amnesia, or Muhstik. This malware has been round since not less than 2020 in several variants, however the Aqua researchers haven’t seen attackers truly making use of it on this marketing campaign after it was deployed. They speculate it may very well be a part of a later stage of the assault.
One of many IP addresses from the place Hadooken was downloaded has been related previously with campaigns by TeamTNT and Gang8220, however this hyperlink just isn’t sturdy sufficient to assist any attribution for this new marketing campaign. Completely different teams of cybercriminals can use the identical digital server internet hosting firms at totally different instances.