Hadooken carries a cryptominer and hyperlinks to ransomware
One of many payloads saved inside Hadooken is a cryptocurrency mining program that’s deployed in three completely different places on the system: /usr/bin/crondr, /usr/bin/bprofr and /mnt/-java. Cryptominers are a typical methodology of monetizing compromised servers.
Hadooken’s second payload is a DDoS bot consumer generally known as Tsunami, Amnesia, or Muhstik. This malware has been round since at the very least 2020 in several variants, however the Aqua researchers haven’t seen attackers really making use of it on this marketing campaign after it was deployed. They speculate it may very well be a part of a later stage of the assault.
One of many IP addresses from the place Hadooken was downloaded has been related previously with campaigns by TeamTNT and Gang8220, however this hyperlink isn’t sturdy sufficient to help any attribution for this new marketing campaign. Completely different teams of cybercriminals can use the identical digital server internet hosting firms at completely different instances.