The Rocke Group, known for targeting cloud infrastructures with cryptojacking attacks, is back in action. Its cloud-targeted cryptojacking malware named Pro-Ocean has recently got new and improved rootkit detection-evasion features and worm capabilities.
Palo Alto Unit 42 researchers have uncovered the revised version of the Pro-Ocean malware explaining its four-module structure, consisting of a rootkit module, a mining module, a Watchdog module, and an infection module.
- The updated features have been added in the Libprocesshider library, which is used by the malware for hiding processes. In addition, the malware developer has added several new code snippets to the library for further functionalities.
- Pro-Ocean uses a Python infection script to utilize its newly added worm capabilities. The rootkit capabilities help conceal the malicious activities.
- Furthermore, the malware uninstalls monitoring agents to avoid detection, attempts to remove other malware and miners such as BillGates, Luoxk, Hashfish, and XMRig before installation, and after installation kills any process that uses the CPU heavily.
- Rocke Group has been using the Pro-Ocean malware to exploit known vulnerabilities to target applications such as Oracle WebLogic (CVE-2017-10271), Apache ActiveMQ (CVE-2016-3088), and Redis (unsecured instances).
Cryptojacking is in vogue
As the monetization vector, cryptojacking has been cybercriminals’ choice of attack for past some time.
- Recently, DreamBus botnet was seen leveraging infected systems to mine Monero cryptocurrency using XMRig miner.
- OSAMiner malware’s recent version was using run-only AppleScripts in its cryptocurrency mining campaigns to evade analysis.
The growing threat
The evolution of the Rocke Group’s cloud-targeted Pro-Ocean malware with worm and rootkit capabilities demonstrates the growing trend of sophisticated attacks using cryptojacking or known vulnerabilities. Thus, experts recommend users stay protected by using a reliable anti-malware security solution.