monero

New Pro-Ocean worm

Introduction

Rocke’s cryptojacking hackers have not changed their habit of attacking cloud applications and are exploiting vulnerabilities known to take control of uncorrected Oracle WebLogic (CVE-2017-10271) and Apache ActiveMQ (CVE-2016-3088) servers. Unsecured Redis instances are also on the list.

Researchers at Palo Alto Networks analyzing the say it includes “new and improved rootkit and worm features” that allow it to hide malicious activity and spread to uncorrected software on the network.

To stay under the radar, Pro-Ocean uses LD_PRELOAD, a native Linux feature that forces binaries to prioritize loading specific libraries. The method is not new and is constantly seen in other malware.

What’s new is that developers have taken rootkit capabilities a step further by implementing publicly available code that helps hide malicious activity.

One example is the ‘open’ function of the ‘libc’ library, which is responsible for opening a file and returning its descriptor. Researchers have discovered that malicious code determines whether a file should be hidden before calling it “open.”

clip_image002

“If it determines that the file should be hidden, the malicious function will return an error “No file or directory of this type,” as if the file in question did not exist” – Palo Alto Networks

Crude self-sprawl mechanism

The actors behind Pro-Ocean have also moved from manual exploitation of victims to an unrefined automated process. A Python script takes the public IP address of the infected machine using the ident.me service, then tries to infect all the machines in the same 16-bit sub-network.

There is no selection in the process and the attackers simply throw public exploits on the uncovered hosts hoping that one of them stays.

clip_image004

In the event of successful operation, the Python script provides a payload that downloads an installation script for Pro-Ocean from a remote HTTP server.

The installation script, written in Bash and obscured, plays an important role in Rocke’s cryptojacking operations. In addition to providing Pro-Ocean, it also eliminates competition by ending other and minors running on the infected host.

In addition, it gives Pro-Ocean full online access by removing the iptable firewall and uninstalling surveillance agents that could raise the alarm.

clip_image006

The cryptojacking gang is also trying to get the most power for Monero mining activity. To this end, Pro-Ocean comes with a module that monitors processor use of legitimate processes running, eliminating those that use more than 30%.

The same module ensures that there is as little downtime in the extraction process as possible by checking if the is active on the machine and starting it if it is not.

Although the currently benefits from only two vulnerabilities, Palo Alto Networks says the list could grow and that Pro-Ocean could target any cloud application if its developer decides to add more exploits.

Based on the analysis, the researchers say Pro-Ocean’s targets are the Alibaba and Tencent cloud services.

Rocke Group was discovered in 2018 by Talos researchers. Previously characterized by simplicity, the attacks of this actor have become more complex in recent times.

Although not attaining the sophistication of other malware, Rocke’s cryptomining operations have evolved to include self-propagation features and better concealment tactics.

IOCs

hxxp://shop.168bee[.]com/
hxxps://shop.168bee[.]com/

4ff33180d326765d92e32ec5580f54495bfcdd58a85f908a7ece8d0aedbe5597
220c2ebacafde95ebf4af12bf0d8eedb6004edd103ecb1d6363e7eb5a3e62c01
a81424ec81849950616f932c79db593147b8a01cc6d06d279fd05d61103abdb7
070afdbb4c2c9e499d55cb8fbc08f98e95725b98682586d42f84fd7181eae1cb
0a3898da2c6e31f1eed4497c4e4e3cf24138981f35cb3d190b81ba4b24ab3df0
26a126fd5cd47b62bb5ae3116a509caf84da1ccd414e632f898aec0948cb0dbf
37e1c05cc683bac5fe97763023a228a4ca4e0439acc94695724f67b7e0275ece
d3e95ae2f01be948dd11157873b3c84cb3e76dea1b382bcfb2c0cb09a949497c
713b5447a51a4b930222491a2dfb5b948a5da6860d80cd8663c99432c1e0812f
0f7abdceae4353c4a6a8ed6b5d261df0f94c2c52709dd50d38003192492e7d3b
bfea86bb68b51c6875d541c92bb48b38298982efbe12cf918873642235b99eeb
575945f6f5149dc48c4a665fcab0cbdbedec1e18b887abe837ed987a7253ad02
abb36bc19b82a026f7d70919c64ed987ebb71420b04bb848275547e99da485bd
7888925fe143add65f2ad928a7ee4e4b864d421fde57fac0cb2b218e70fe4d31

d40e05cd8632188552b6298e972258fca86620cf
1f9f127ae91b383e0684299d808cd47f1c2d2eeb
3acf48b8cc201d0c41138e9969040e882e14ba7a

ec5aa036aa1136dd7ef913dcf497fa59
df146b4994fba1c3ef182e4cadbabf97
71a4a16e8b1fcfb375f34a664f2db176