A financially motivated threat actor famous for his cryptojacking attacks has leveraged a modified version of their malicious software to target cloud infrastructures using vulnerabilities in web server technologies, according to new research.

Used by the cyber-crime group in China Rocke, Pro-Ocean’s cryptojacking malware now brings enhanced root and worm capabilities, as well as harboring new bypass tactics to cybersecurity companies ‘detection methods in parallel, Palo Alto Networks’ Unit 42 researchers said in writing Thursday.

“Pro-Ocean uses known vulnerabilities to target cloud applications,” the researchers detailed. “In our analysis, we found Pro-Ocean targeting Apache ActiveMQ (CVE-2016-3088), Oracle WebLogic (CVE-2017-10271) and Redis (uncertain cases).”

“Once installed, the malicious software kills any process that uses the CPU heavily, so that it can use 100% of the CPU and Monero mining efficiently.”

First documented by Cisco Talos in 2018, Rocke was found to distribute and implement crypto-mining malware using a diverse toolkit that includes Git repositories and different payloads like shell scripts, JavaScript backdoors, as well as files portable executable.

While previous variants of the malicious software bank on the ability to target and remove cloud security products developed by Tencent Cloud and Alibaba Cloud through exploitation of bugs in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion, Pro-Ocean has expanded the breadth of those attack vectors. by aiming for Apache ActiveMQ, Oracle WebLogic, and Redis servers.

Besides its self-propagating features and enhanced disguise techniques that allow it to remain under the radar and spread to unencrypted software on the network, the malicious software, once installed, goes on to uninstall monitoring agents to avoid detection and removal of malicious software and other miners from infected systems. .

To achieve this, it takes advantage of a native Linux feature called LD_PRELOAD to hide its malicious activity, a library called Libprocesshider to stay hidden, and uses a Python infection script that takes the machine’s public IP to infect all machines in the same 16-bit. sub-network (eg, 10.0.XX).

Pro-Ocean also works to eliminate competition by killing malicious software and other miners, including Luoxk, BillGates, XMRig, and Hashfish, running on the threatened host. Additionally, it comes with a watchdog module written in Bash that ensures persistence and takes care of terminating all processes that consume more than 30% of the CPU with the goal of mining Monero efficiently.

“This malicious software is an example that demonstrates that cloud provider security solutions may not be sufficient to prevent malicious bypass software targeted at public cloud infrastructure,” said Unit 42 researcher Aviv Sasson. “This sample has the ability to eliminate agents of some cloud providers and avoid detection.”


Please enter your comment!
Please enter your name here