The Rocke Group's used cloud-targeted malware for carrying out crypto-jacking attacks for Monero that was documented in 2019 by Unit 42 researchers. Since then, the malware has been present in cybersecurity firms, which hindered the crypto-jacking activity of the Rocke Community. The threat actors behind the attack have reportedly updated the malware as researchers discovered a modified malware version used by the Rocke Community, a cyber-crime gang that attacks crypto-jack cloud infrastructure.
The malware is known as "Pro Ocean," first detected in 2019, and now includes "worm" features and the detection-evasion features of rootkits.
For cloud apps, Pro-Ocean utilizes well-known vulnerabilities Pro-Ocean attacked Apache ActiveMQ, Oracle WebLogic (CVE-2017-10271), and Redis in their study. If the malware is built-in Tencent Cloud or Alibaba Cloud, one can disable tracking agents using the same code of the previous malware to prevent detection. If the malware is installed, it destroys any operation that heavily uses the Kernel to use 100% of the CPU and Monero effectively.
“This malware is an example that demonstrates that cloud providers’ agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure,” said Aviv Sasson. “As we saw, this sample can delete some cloud providers’ agents and evade their detection,” Sasson further added.
The malware is comprised of four components: a rootkit package, which installs a rootkit and many other malice utilities, an XMRig mining module; a Watchdog module with two Bash scripts (to see whether the malware runs a strong CPU scan and some process).
The latter “worm” feature is a recent Pro-Ocean addition. The ransomware now reverts to the public IP address of the victim's computer with a Python infection script. This is achieved by using an online service, which scopes IP addresses for different web servers with an "ident.me" address. The script then attempts in the same 16-Bit subnet to corrupt all computers (e.g. 10.0.X.X). The Pro-Ocean malware has also added new rootkit capabilities that cloak its malicious activity.
“It does this by blindly executing public exploits one after the other in the hope of finding unpatched software it can exploit,” said Sasson. Researchers said that they believe, Rocke Group will be constantly modifying its malware, particularly as the cloud expands as a lucrative target for attackers.