Thursday, March 28, 2024

Beware!! New Cryptojacking Malware Attacking Apache, Oracle, Redis Servers

The security researchers at unit 42 are keeping a stern eye on China-based cybercrime group Rocke. This hacking group was detected in 2019 for using cloud-targeted malware, and since then, the cybersecurity research company had the malware on their radar.

Now once again, the experts have detected that the financially-motivated Rocke hacking group is using a new piece of Cryptojacking malware named Pro-Ocean to target all the vulnerable servers of Apache ActiveMQ, Oracle WebLogic, and Redis.

Pro-Ocean Cryptojacking malware now arises with advanced rootkit and worm abilities; not only this but the harbors are now using the new avoidance tactics to sidestep cybersecurity companies.

Malware

This new malware has disguised itself, and it packs an XMRig miner, which is disreputable for its use in every Cryptojacking operation. That’s why the security experts have also mentioned some key point about the malware, and here they are:-

  • In this malware, the binary is being gathered using UPX, which implies that the actual malware is stuffed inside the binary and is extorted and accomplished during the binary execution.
  • This new malware has Advanced static analysis tools that can easily unpack the UPX binaries and scan their content. But in this Cryptojacking target, the UPX magic string has been removed from the binary. Therefore, the static analysis tools cannot recognize this binary as UPX and unwrap it.
  • In this case of malware, all the modules are gzipped inside the unpacked binary.
  • Inside the gzipped module, the XMRig binary are being stuffed and is packed by UPX that doesn’t have the UPX magic string.

The Pro-Ocean malware is formulated in Go, which is organized with an x64 architecture binary, and it generally targets the typical cloud apps like Apache ActiveMQ, Oracle Weblogic, and Redis.

Modules & Functions

In this new malware, there are four modules of Pro-Ocean, and these modules are gzipped inside the binary and are removed and executed one by one with four different functions; and here are the functions and modules are mentioned below:-

Four functions:-

  • main_ReleaseExe
  • main_ReleaseExelk
  • main_ReleaseExerkt
  • main_ReleaseExescan

Four modules:-

  • Rootkit Module
  • Mining Module
  • Watchdog Module
  • Infection Module

List of the vulnerable software

The security experts have published a full list of vulnerable software that Pro-Ocean have exploited, and here we have mentioned them below:-

  • Apache ActiveMQ – CVE-2016-3088.
  • Oracle WebLogic – CVE-2017-10271.
  • Redis – unsecured instances.

According to the report that has been asserted by the experts, Pro-Ocean also operates to eliminate opposition by killing other malware and miners, and all these include Luoxk, BillGates, XMRig, and Hashfish, and all these runs on the negotiated host. 

Moreover, this new malware comes with a watchdog module that is being written in Bash that guarantees endurance and takes care of dismissing all the processes that are being utilized by more than 30% of the CPU with the purpose of mining Monero efficiently.

Apart from this, more information are yet to extract, as the experts are trying to circulate all the necessary details regarding this malware. So, the list of vulnerable software are still not finite; however, this malware is an illustration that demonstrates cloud providers’ agent-based security answers.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles