Tuesday, December 3, 2024
HomeMalwareBeware!! New Cryptojacking Malware Attacking Apache, Oracle, Redis Servers

Beware!! New Cryptojacking Malware Attacking Apache, Oracle, Redis Servers

Published on

SIEM as a Service

The security researchers at unit 42 are keeping a stern eye on China-based cybercrime group Rocke. This hacking group was detected in 2019 for using cloud-targeted malware, and since then, the cybersecurity research company had the malware on their radar.

Now once again, the experts have detected that the financially-motivated Rocke hacking group is using a new piece of Cryptojacking malware named Pro-Ocean to target all the vulnerable servers of Apache ActiveMQ, Oracle WebLogic, and Redis.

Pro-Ocean Cryptojacking malware now arises with advanced rootkit and worm abilities; not only this but the harbors are now using the new avoidance tactics to sidestep cybersecurity companies.

- Advertisement - SIEM as a Service

Malware

This new malware has disguised itself, and it packs an XMRig miner, which is disreputable for its use in every Cryptojacking operation. That’s why the security experts have also mentioned some key point about the malware, and here they are:-

  • In this malware, the binary is being gathered using UPX, which implies that the actual malware is stuffed inside the binary and is extorted and accomplished during the binary execution.
  • This new malware has Advanced static analysis tools that can easily unpack the UPX binaries and scan their content. But in this Cryptojacking target, the UPX magic string has been removed from the binary. Therefore, the static analysis tools cannot recognize this binary as UPX and unwrap it.
  • In this case of malware, all the modules are gzipped inside the unpacked binary.
  • Inside the gzipped module, the XMRig binary are being stuffed and is packed by UPX that doesn’t have the UPX magic string.

The Pro-Ocean malware is formulated in Go, which is organized with an x64 architecture binary, and it generally targets the typical cloud apps like Apache ActiveMQ, Oracle Weblogic, and Redis.

Modules & Functions

In this new malware, there are four modules of Pro-Ocean, and these modules are gzipped inside the binary and are removed and executed one by one with four different functions; and here are the functions and modules are mentioned below:-

Four functions:-

  • main_ReleaseExe
  • main_ReleaseExelk
  • main_ReleaseExerkt
  • main_ReleaseExescan

Four modules:-

  • Rootkit Module
  • Mining Module
  • Watchdog Module
  • Infection Module

List of the vulnerable software

The security experts have published a full list of vulnerable software that Pro-Ocean have exploited, and here we have mentioned them below:-

  • Apache ActiveMQ – CVE-2016-3088.
  • Oracle WebLogic – CVE-2017-10271.
  • Redis – unsecured instances.

According to the report that has been asserted by the experts, Pro-Ocean also operates to eliminate opposition by killing other malware and miners, and all these include Luoxk, BillGates, XMRig, and Hashfish, and all these runs on the negotiated host. 

Moreover, this new malware comes with a watchdog module that is being written in Bash that guarantees endurance and takes care of dismissing all the processes that are being utilized by more than 30% of the CPU with the purpose of mining Monero efficiently.

Apart from this, more information are yet to extract, as the experts are trying to circulate all the necessary details regarding this malware. So, the list of vulnerable software are still not finite; however, this malware is an illustration that demonstrates cloud providers’ agent-based security answers.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...

New CleverSoar Malware Attacking Windows Users Bypassing Security Mechanisms

CleverSoar, a new malware installer, targets Chinese and Vietnamese users to deploy advanced tools...

Beware Of Malicious PyPI Packages That Inject infostealer Malware

Recent research uncovered a novel crypto-jacking attack targeting the Python Package Index (PyPI), where...