Beware!! New Cryptojacking Malware Attacking Apache, Oracle, Redis Servers

The security researchers at unit 42 are keeping a stern eye on China-based cybercrime group Rocke. This hacking group was detected in 2019 for using cloud-targeted malware, and since then, the cybersecurity research company had the malware on their radar.

Now once again, the experts have detected that the financially-motivated Rocke hacking group is using a new piece of Cryptojacking malware named Pro-Ocean to target all the vulnerable servers of Apache ActiveMQ, Oracle WebLogic, and Redis.

Pro-Ocean Cryptojacking malware now arises with advanced rootkit and worm abilities; not only this but the harbors are now using the new avoidance tactics to sidestep cybersecurity companies.


This new malware has disguised itself, and it packs an XMRig miner, which is disreputable for its use in every Cryptojacking operation. That’s why the security experts have also mentioned some key point about the malware, and here they are:-

  • In this malware, the binary is being gathered using UPX, which implies that the actual malware is stuffed inside the binary and is extorted and accomplished during the binary execution.
  • This new malware has Advanced static analysis tools that can easily unpack the UPX binaries and scan their content. But in this Cryptojacking target, the UPX magic string has been removed from the binary. Therefore, the static analysis tools cannot recognize this binary as UPX and unwrap it.
  • In this case of malware, all the modules are gzipped inside the unpacked binary.
  • Inside the gzipped module, the XMRig binary are being stuffed and is packed by UPX that doesn’t have the UPX magic string.

The Pro-Ocean malware is formulated in Go, which is organized with an x64 architecture binary, and it generally targets the typical cloud apps like Apache ActiveMQ, Oracle Weblogic, and Redis.

Modules & Functions

In this new malware, there are four modules of Pro-Ocean, and these modules are gzipped inside the binary and are removed and executed one by one with four different functions; and here are the functions and modules are mentioned below:-

Four functions:-

  • main_ReleaseExe
  • main_ReleaseExelk
  • main_ReleaseExerkt
  • main_ReleaseExescan

Four modules:-

  • Rootkit Module
  • Mining Module
  • Watchdog Module
  • Infection Module

List of the vulnerable software

The security experts have published a full list of vulnerable software that Pro-Ocean have exploited, and here we have mentioned them below:-

  • Apache ActiveMQ – CVE-2016-3088.
  • Oracle WebLogic – CVE-2017-10271.
  • Redis – unsecured instances.

According to the report that has been asserted by the experts, Pro-Ocean also operates to eliminate opposition by killing other malware and miners, and all these include Luoxk, BillGates, XMRig, and Hashfish, and all these runs on the negotiated host. 

Moreover, this new malware comes with a watchdog module that is being written in Bash that guarantees endurance and takes care of dismissing all the processes that are being utilized by more than 30% of the CPU with the purpose of mining Monero efficiently.

Apart from this, more information are yet to extract, as the experts are trying to circulate all the necessary details regarding this malware. So, the list of vulnerable software are still not finite; however, this malware is an illustration that demonstrates cloud providers’ agent-based security answers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Leave a Reply