Tuesday, April 29, 2025
HomeMalwareBeware!! New Cryptojacking Malware Attacking Apache, Oracle, Redis Servers

Beware!! New Cryptojacking Malware Attacking Apache, Oracle, Redis Servers

Published on

SIEM as a Service

Follow Us on Google News

The security researchers at unit 42 are keeping a stern eye on China-based cybercrime group Rocke. This hacking group was detected in 2019 for using cloud-targeted malware, and since then, the cybersecurity research company had the malware on their radar.

Now once again, the experts have detected that the financially-motivated Rocke hacking group is using a new piece of Cryptojacking malware named Pro-Ocean to target all the vulnerable servers of Apache ActiveMQ, Oracle WebLogic, and Redis.

Pro-Ocean Cryptojacking malware now arises with advanced rootkit and worm abilities; not only this but the harbors are now using the new avoidance tactics to sidestep cybersecurity companies.

- Advertisement - Google News

Malware

This new malware has disguised itself, and it packs an XMRig miner, which is disreputable for its use in every Cryptojacking operation. That’s why the security experts have also mentioned some key point about the malware, and here they are:-

  • In this malware, the binary is being gathered using UPX, which implies that the actual malware is stuffed inside the binary and is extorted and accomplished during the binary execution.
  • This new malware has Advanced static analysis tools that can easily unpack the UPX binaries and scan their content. But in this Cryptojacking target, the UPX magic string has been removed from the binary. Therefore, the static analysis tools cannot recognize this binary as UPX and unwrap it.
  • In this case of malware, all the modules are gzipped inside the unpacked binary.
  • Inside the gzipped module, the XMRig binary are being stuffed and is packed by UPX that doesn’t have the UPX magic string.

The Pro-Ocean malware is formulated in Go, which is organized with an x64 architecture binary, and it generally targets the typical cloud apps like Apache ActiveMQ, Oracle Weblogic, and Redis.

Modules & Functions

In this new malware, there are four modules of Pro-Ocean, and these modules are gzipped inside the binary and are removed and executed one by one with four different functions; and here are the functions and modules are mentioned below:-

Four functions:-

  • main_ReleaseExe
  • main_ReleaseExelk
  • main_ReleaseExerkt
  • main_ReleaseExescan

Four modules:-

  • Rootkit Module
  • Mining Module
  • Watchdog Module
  • Infection Module

List of the vulnerable software

The security experts have published a full list of vulnerable software that Pro-Ocean have exploited, and here we have mentioned them below:-

  • Apache ActiveMQ – CVE-2016-3088.
  • Oracle WebLogic – CVE-2017-10271.
  • Redis – unsecured instances.

According to the report that has been asserted by the experts, Pro-Ocean also operates to eliminate opposition by killing other malware and miners, and all these include Luoxk, BillGates, XMRig, and Hashfish, and all these runs on the negotiated host. 

Moreover, this new malware comes with a watchdog module that is being written in Bash that guarantees endurance and takes care of dismissing all the processes that are being utilized by more than 30% of the CPU with the purpose of mining Monero efficiently.

Apart from this, more information are yet to extract, as the experts are trying to circulate all the necessary details regarding this malware. So, the list of vulnerable software are still not finite; however, this malware is an illustration that demonstrates cloud providers’ agent-based security answers.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Blinded from Above: How Relentless Cyber-Attacks Are Knocking Satellites Out of Sight

According to the Center for Strategic & International Studies' (CSIS) 2025 Space Threat Assessment,...

Google Chrome Vulnerability Allows Attackers to Bypass Sandbox Restrictions – Technical Details Revealed

A severe vulnerability, identified as CVE-2025-2783, has been discovered in Google Chrome, specifically targeting...

Threat Actors Accelerate Transition from Reconnaissance to Compromise – New Report Finds

Cybercriminals are leveraging automation across the entire attack chain, drastically reducing the time from...

ResolverRAT Targets Healthcare and Pharmaceutical Sectors Through Sophisticated Phishing Attacks

A previously undocumented remote access trojan (RAT) named ResolverRAT has surfaced, specifically targeting healthcare...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging...

Advanced Multi-Stage Carding Attack Hits Magento Site Using Fake GIFs and Reverse Proxy Malware

A multi-stage carding attack has been uncovered targeting a Magento eCommerce website running an...

Hannibal Stealer: Cracked Variant of Sharp and TX Malware Targets Browsers, Wallets, and FTP Clients

A new cyber threat, dubbed Hannibal Stealer, has surfaced as a rebranded and cracked...