Search This Blog

Showing posts with label Rocke group. Show all posts

Cybersecurity Researchers Identifies an Updated Variant of 'Pro-Ocean' Malware


Cybersecurity experts have discovered an updated version of ‘Pro-Ocean malware’, this malware was used as a weapon by a cybercriminal gang called Rocke Group to target cloud infrastructure with crypto-jacking strikes.

Cybersecurity experts first discovered the Pro-Ocean malware in 2019 and it has evolved to be even more deadly due to its worm capabilities and rootkit detection evasion features. Aviv Sasson with Palo Alto Networks stated that "this malware is an example that demonstrates that cloud providers’ agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure."

The Rocke Group has expanded its targeting of cloud applications such as Oracle WebLogic, ActiveMQ, and open-source data structure store Redis for mining Monero. Pro-Ocean malware has been on the radar of many cybersecurity firms since these attacks occurred. The latest malware targets to bypass these detection and mitigation efforts.

Pro-Ocean malware exploits various known vulnerabilities to target cloud applications which includes a severe flaw in Apache ActiveMQ (CVE-2016-3088) and a high severity susceptibility in Oracle WebLogic (CVE-2017-10271). The malware is also known to target vulnerable instances of Redis. After the malware is downloaded it strives to detach other malware and cryptominers, including BillGates, XMRig, Luoxk, and Hashfish. Once downloaded, it kills any process that utilizes the CPU heavily so that it is capable of using 100% of the CPU and mine Monero effectively.

Pro-Ocean malware has four components: A rootkit module that downloads a rootkit and various other malicious services; a mining module that operates the XMRig miner; a Watchdog module that implements two Bash scripts (for checking that the malware is operating and finding out any processes using CPU heavily); and an infection module that carries ‘worm’ capabilities. The latest ‘worm’ feature is a new inclusion for Pro-Ocean malware, which previously have targeted the victims manually, Python infection script is now used by malware to acquire the public IP address of the victim’s machine.

Pro-Ocean malware does this to secure online service with the domain ‘’ which extends out IP addresses for various web servers and then the script attempts to corrupt all the machines in the same 16-bit subnet (e.g., 10.0.X.X).

In this regard, cybersecurity researchers explained that “cryptojacking malware targeting the cloud is evolving as attackers understand the potential of that environment to mine for crypto coins. We previously saw simpler attacks by the Rocke Group, but it seems this group presents an ongoing, growing threat. This cloud-targeted malware is not something ordinary since it has worm and rootkit capabilities. We can assume that the growing trend of sophisticated attacks on the cloud will continue”.

Rocke Group’s Pro Ocean Crypto-jacking Malware now Comes with Worm Feature


The Rocke Group's used cloud-targeted malware for carrying out crypto-jacking attacks for Monero that was documented in 2019 by Unit 42 researchers. Since then, the malware has been present in cybersecurity firms, which hindered the crypto-jacking activity of the Rocke Community. The threat actors behind the attack have reportedly updated the malware as researchers discovered a modified malware version used by the Rocke Community, a cyber-crime gang that attacks crypto-jack cloud infrastructure. 

The malware is known as "Pro Ocean," first detected in 2019, and now includes "worm" features and the detection-evasion features of rootkits. 

For cloud apps, Pro-Ocean utilizes well-known vulnerabilities Pro-Ocean attacked Apache ActiveMQ, Oracle WebLogic (CVE-2017-10271), and Redis in their study. If the malware is built-in Tencent Cloud or Alibaba Cloud, one can disable tracking agents using the same code of the previous malware to prevent detection. If the malware is installed, it destroys any operation that heavily uses the Kernel to use 100% of the CPU and Monero effectively. 

“This malware is an example that demonstrates that cloud providers’ agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure,” said Aviv Sasson. “As we saw, this sample can delete some cloud providers’ agents and evade their detection,” Sasson further added. 

The malware is comprised of four components: a rootkit package, which installs a rootkit and many other malice utilities, an XMRig mining module; a Watchdog module with two Bash scripts (to see whether the malware runs a strong CPU scan and some process). 

The latter “worm” feature is a recent Pro-Ocean addition. The ransomware now reverts to the public IP address of the victim's computer with a Python infection script. This is achieved by using an online service, which scopes IP addresses for different web servers with an "" address. The script then attempts in the same 16-Bit subnet to corrupt all computers (e.g. 10.0.X.X). The Pro-Ocean malware has also added new rootkit capabilities that cloak its malicious activity. 

“It does this by blindly executing public exploits one after the other in the hope of finding unpatched software it can exploit,” said Sasson. Researchers said that they believe, Rocke Group will be constantly modifying its malware, particularly as the cloud expands as a lucrative target for attackers.