Known for targeting cloud infrastructures with cryptojacking attacks, the Rocke Group has come back to life. Pro-Ocean, its cloud-targeted cryptojacking malware has recently upgraded with rootkit detection-evasion features and worm capabilities.
The Update
The revised version of the Pro-Ocean malware has been uncovered by researchers while explaining its four-module structure, consisting of a rootkit module, a mining module, a Watchdog module, and an infection module.
- The Libprocesshider library, which is used by the malware for hiding processes, has been updated with the new features. Additionally, the developer of the malware has added several new code snippets to the library for further functionalities.
- To utilize its newly added worm capabilities, the Pro-Ocean uses a Python infection script, while the rootkit capabilities help conceal the malicious activities.
- Furthermore, to avoid detection the malware uninstalls monitoring agents, attempts to remove other malware and miners such as BillGates, Luoxk, Hashfish, and XMRig before installation and after installation kills any process that uses the CPU heavily.
- Operators of the Pro-Ocean malware have been using it to exploit known vulnerabilities to target applications such as Oracle WebLogic (CVE-2017-10271), Apache ActiveMQ (CVE-2016-3088), and Redis (unsecured instances).
Being a monetization vector, cryptojacking has been cybercriminals’ choice of attack for past some time.
- Not long ago, the DreamBus botnet was seen leveraging infected systems to mine Monero cryptocurrency using XMRig miner.
- A very recent version of the OSAMiner was implementing run-only AppleScripts in its cryptocurrency mining campaigns to evade analysis.
The evolution of Pro-ocean malware with worm and rootkit capabilities demonstrates the growing trend of sophisticated attacks using cryptojacking or known vulnerabilities. Consequently, our internal experts suggest users stay protected by using a reliable anti-malware security solution like eScan.
To read more, please check eScan Blog
