Two components are included with Hadooken: a cryptocurrency miner and Tsunami, also known as Kaiten, a distributed denial-of-service (DDoS) botnet that has a history of attacking Weblogic and Jenkins services that are set up in Kubernetes clusters. Additionally, by setting up cron tasks to operate the cryptocurrency miner on the host frequently at different intervals, the malware is in charge of building persistence on the system.

According to the researchers, 89.185.85[.]102 is registered in Germany under the hosting company Aeza International LTD (AS210644). It was previously reported in February 2024 that this IP address was used to exploit vulnerabilities in Apache Log4j, Atlassian Confluence Server, and Data Center to promote a cryptocurrency campaign called 8220 Gang.

Even though it isn't in use right now, the second IP address, 185.174.136[.]204, is connected to Aeza Group Ltd. (AS216246). As demonstrated in July 2024 by researchers, Aeza is a resilient hosting provider with locations in two Frankfurt data centers and Moscow M9. The strategy employed by Aeza and its rapid expansion can be explained by the hiring of young developers connected to Russian bulletproof hosting companies that provide havens for cybercriminals.

Impact

• Code Execution
• Cryptocurrency Theft
• Unauthorized Access
• Sensitive Data Theft
• Denial of Service

Indicators of Compromise

IP

• 185.174.136.204
• 89.185.85.102

MD5

• cdf3fce392df6fbb3448c5d26c8d053e
• 4a12098c3799ce17d6d59df86ed1a5b6
• b9f096559e923787ebb1288c93ce2902
• 9bea7389b633c331e706995ed4b3999c
• 8eef5aa6fa9859c71b55c1039f02d2e6
• c1897ea9457343bd8e73f98a1d85a38f
• 73d96a4316182cd6417bdab86d4df1fc

SHA-256

• 652f25d8f197ad00e4a64d1ad4066778e1bbc9a0e29faf09b90768c84f89c4ee
• 89e16174f65709fecd11c620d57abdab53046734d5105bedce8bc357513dd64b
• 1fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5
• 33926b0dfc908b518213d7608f701beca2373adad1f40025c17028cac5d4837f
• 10c2913361debb5f1db95c170ce2d6892d598d97b9f1f7f76a8bc7b5053e801a
• 6882691af41db3f6d8a3a2e08dbb685db4cf9d25167738bc7c177895863dc866
• 9afb13e5ab9ec5ef9d246bf5793e6dc4c8d2b58758a22c60beeb4004f348a77c

SHA-1

• 4a3dc35d4853665d4d08f0c5220e650f28eb9c06
• 0e8a3699cfaa236b73fd5aab51649c296bc8f001
• 94851bcc8f9c651bcda0ff33d17356cb0b16cf12
• b2d07deea8da1bf44f5103a8858c7f7000309130
• 8fcbf737766a473e2f033b9ee161fcf837228da3
• c8a2a9668cc86c85536e762180dd9b032af0686c
• b53cd1a65f9edf6b53c1eb152b87e1b9a701d8f9

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.