Cryptojacking Malware Adds Rootkit, Worming CapabilitiesResearchers: Pro-Ocean Malware Targets Apache, Oracle WebLogic Servers
A recently updated cryptojacking malware variant called Pro-Ocean is targeting vulnerable Apache and Oracle WebLogic servers, according to Palo Alto Networks’ Unit 42.
The malware is tied to a hacking group called Rocke, which has been active since at least 2018. Researchers from Cisco Talos first spotted the group, which is known for mining for monero virtual currency (see: Obama-Themed Ransomware Also Mines for Monero).
The updated version of Pro-Ocean shows how Rocke has steadily increased its ability to develop malware. The new variant offers worming and rootkit capabilities that enable the malicious code to remain undetected and compromise other vulnerable web servers, the Unit 42 report notes.
"Cryptojacking malware targeting the cloud is evolving as attackers understand the potential of that environment to mine for crypto coins,” the Unit 42 researchers note. “We previously saw simpler attacks by the Rocke Group, but it seems this group presents an ongoing, growing threat. This cloud-targeted malware is not something ordinary, since it has worm and rootkit capabilities. We can assume that the growing trend of sophisticated attacks on the cloud will continue."
The hacking group targets Apache ActiveMQ servers with the vulnerability known as CVE-2016-3088 and Oracle WebLogic servers with the vulnerability CVE-2017-10271, according to the report. The researchers also found the malware takes advantage of unsecured Redis servers - an in-memory data structure project used for creating databases.
The Unit 42 report doesn't disclose how the attacks against these vulnerable web servers are initiated. But the researchers found the hacking group is hosting the updated version of Pro-Ocean in legitimate cloud services, such Tencent Cloud or Alibaba Cloud.
The Pro-Ocean malware, which is written in the Go programming language, comprises several modules that each perform separate functions, the report notes.
Once the malware is planted in a compromised server, one of its modules attempts to kill other processes, including other cryptominers, and then starts mining for monero cryptocurrency.
Pro-Ocean’s new capabilities include a worming ability that uses a Python script instead of a manual process, enabling the malware to target other vulnerable web servers.
"This script retrieves the machine's public IP by accessing an online service that does so in the address 'ident.me' and then tries to infect all the machines in the same 16-bit subnet (e.g. 10.0.X.X)," the Unit 42 report states. “It does this by blindly executing public exploits one after the other in the hope of finding unpatched software it can exploit."
Other hacking groups, such as TeamTNT, have also developed malware with worming capabilities in an effort to target vulnerable cloud resources as part of their cryptomining campaigns (see: Cryptomining Botnet Steals AWS Credentials).
The Unit 42 researchers also found the Pro-Ocean malware uses a rootkit to help disguise its activities. It uses a native Linux feature called "LD_PRELOAD. LD_PRELOAD," which forces binaries to load specific libraries before others. This allows the preloaded libraries to override any function from any library, according to the report.
"This way, once executed, binaries will load this library and use its functions instead of the functions in the default libraries. This feature is commonly abused by other malware," the researchers say.
As in the previous version of Pro-Ocean, the latest version uses Libprocesshider - a library for hiding processes. But the developers added several code snippets from the internet to gain more rootkit capabilities, the report notes.