Tuesday, May 13, 2025
HomeMalwareBeware!! New Cryptojacking Malware Attacking Apache, Oracle, Redis Servers

Beware!! New Cryptojacking Malware Attacking Apache, Oracle, Redis Servers

Published on

SIEM as a Service

Follow Us on Google News

The security researchers at unit 42 are keeping a stern eye on China-based cybercrime group Rocke. This hacking group was detected in 2019 for using cloud-targeted malware, and since then, the cybersecurity research company had the malware on their radar.

Now once again, the experts have detected that the financially-motivated Rocke hacking group is using a new piece of Cryptojacking malware named Pro-Ocean to target all the vulnerable servers of Apache ActiveMQ, Oracle WebLogic, and Redis.

Pro-Ocean Cryptojacking malware now arises with advanced rootkit and worm abilities; not only this but the harbors are now using the new avoidance tactics to sidestep cybersecurity companies.

- Advertisement - Google News

Malware

This new malware has disguised itself, and it packs an XMRig miner, which is disreputable for its use in every Cryptojacking operation. That’s why the security experts have also mentioned some key point about the malware, and here they are:-

  • In this malware, the binary is being gathered using UPX, which implies that the actual malware is stuffed inside the binary and is extorted and accomplished during the binary execution.
  • This new malware has Advanced static analysis tools that can easily unpack the UPX binaries and scan their content. But in this Cryptojacking target, the UPX magic string has been removed from the binary. Therefore, the static analysis tools cannot recognize this binary as UPX and unwrap it.
  • In this case of malware, all the modules are gzipped inside the unpacked binary.
  • Inside the gzipped module, the XMRig binary are being stuffed and is packed by UPX that doesn’t have the UPX magic string.

The Pro-Ocean malware is formulated in Go, which is organized with an x64 architecture binary, and it generally targets the typical cloud apps like Apache ActiveMQ, Oracle Weblogic, and Redis.

Modules & Functions

In this new malware, there are four modules of Pro-Ocean, and these modules are gzipped inside the binary and are removed and executed one by one with four different functions; and here are the functions and modules are mentioned below:-

Four functions:-

  • main_ReleaseExe
  • main_ReleaseExelk
  • main_ReleaseExerkt
  • main_ReleaseExescan

Four modules:-

  • Rootkit Module
  • Mining Module
  • Watchdog Module
  • Infection Module

List of the vulnerable software

The security experts have published a full list of vulnerable software that Pro-Ocean have exploited, and here we have mentioned them below:-

  • Apache ActiveMQ – CVE-2016-3088.
  • Oracle WebLogic – CVE-2017-10271.
  • Redis – unsecured instances.

According to the report that has been asserted by the experts, Pro-Ocean also operates to eliminate opposition by killing other malware and miners, and all these include Luoxk, BillGates, XMRig, and Hashfish, and all these runs on the negotiated host. 

Moreover, this new malware comes with a watchdog module that is being written in Bash that guarantees endurance and takes care of dismissing all the processes that are being utilized by more than 30% of the CPU with the purpose of mining Monero efficiently.

Apart from this, more information are yet to extract, as the experts are trying to circulate all the necessary details regarding this malware. So, the list of vulnerable software are still not finite; however, this malware is an illustration that demonstrates cloud providers’ agent-based security answers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...