Rocke Group’s Malware Now Has Worm Capabilities

[mood]

Rocke Group’s Malware Now Has Worm Capabilities

 

 

The Pro-Ocean cryptojacking malware now comes with the ability to spread like a worm, as well as harboring new detection-evasion tactics.

 

Researchers have identified an updated malware variant used by the cybercrime gang Rocke Group that targets cloud infrastructures with crypto-jacking attacks.

 

The malware is called Pro-Ocean, which was first discovered in 2019, and has now been beefed-up with “worm” capabilities and rootkit detection-evasion features.

“This malware is an example that demonstrates that cloud providers’ agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure,” said Aviv Sasson with Palo Alto Networks on Thursday. “As we saw, this sample has the capability to delete some cloud providers’ agents and evade their detection.”

 

Since its discovery in 2018, the Rocke Group has widened its targeting of cloud applications – including Apache ActiveMQ, Oracle WebLogic and open-source data structure store Redis – for mining Monero. Researchers say that since these attacks initially broke out, many cybersecurity companies have kept Pro-Ocean on their radar. Rocke Group’s latest update aims to sidestep these detection and mitigation efforts.

Pro-Ocean Malware

Pro-Ocean uses a variety of known vulnerabilities to target cloud applications. These include a critical flaw in Apache ActiveMQ (CVE-2016-3088) and a high-severity vulnerability in Oracle WebLogic (CVE-2017-10271). The malware has also been spotted targeting unsecure instances of Redis.

 

Once downloaded, the malware attempts to remove other malware and cryptominers, including Luoxk, BillGates, XMRig and Hashfish. It then kills any processes using the CPU heavily, so that its XMRig miner can utilize 100 percent of the CPU juice needed to sow Monero.

 

The malware is made up of four components: A rootkit module that installs a rootkit and other various malicious services; a mining module that runs the XMRig miner; a Watchdog module that executes two Bash scripts (these check that the malware is running and search any processes using CPU heavily); and an infection module that contains “worm” capabilities.

New Features

The latter “worm” feature is a new add for Pro-Ocean, which previously only infected victims manually. The malware now uses a Python infection script to retrieve the public IP address of the victim’s machine. It does so by accessing an online service with the address “ident.me,” which scopes out IP addresses for various web servers. Then, the script tries to infect all the machines in the same 16-bit subnet (e.g. 10.0.X.X).

“It does this by blindly executing public exploits one after the other in the hope of finding unpatched software it can exploit,” said Sasson.

 

 

Other threat groups have previously adopted worm-like functionality into their Monero-chugging malware. TeamTNT’s cryptomining worm, for instance, was found spreading through the Amazon Web Services (AWS) cloud and collecting credentials in August.

 

The Pro-Ocean malware has also added mew rootkit capabilities that cloak its malicious activity.

 

These updated features exist in Libprocesshider, a library for hiding processes used by the malware. This library was utilized by previous versions of Pro-Ocean – however, in the new version, the developer of the code has added several new code snippets to the library for further functionalities.

 

For example, before calling the libc function open (libc is a library of standard functions that can be used by all C programs), a malicious function determines whether the file needs to be hidden to obfuscate malicious activities.

“If it determines that the file needs to be hidden, the malicious function will return a ‘No such file or directory’ error, as if the file in question does not exist,” said Sasson.

 

Researchers said they believe that the Rocke Group will continue to actively update its malware, particularly as the cloud grows as a lucrative target for attackers.

“Cryptojacking malware targeting the cloud is evolving as attackers understand the potential of that environment to mine for crypto coins. We previously saw simpler attacks by the Rocke Group, but it seems this group presents an ongoing, growing threat. This cloud-targeted malware is not something ordinary since it has worm and rootkit capabilities. We can assume that the growing trend of sophisticated attacks on the cloud will continue.”

 

 

Source: Rocke Group’s Malware Now Has Worm Capabilities

[aum]

 

A financially-motivated threat actor notorious for its cryptojacking attacks has leveraged a revised version of their malware to target cloud infrastructures using vulnerabilities in web server technologies, according to new research.

 

Deployed by the China-based cybercrime group Rocke, the Pro-Ocean cryptojacking malware now comes with improved rootkit and worm capabilities, as well as harbors new evasion tactics to sidestep cybersecurity companies' detection methods, Palo Alto Networks' Unit 42 researchers said in a Thursday write-up.

 

"Pro-Ocean uses known vulnerabilities to target cloud applications," the researchers detailed. "In our analysis, we found Pro-Ocean targeting Apache ActiveMQ (CVE-2016-3088), Oracle WebLogic (CVE-2017-10271) and Redis (unsecure instances)."

 

"Once installed, the malware kills any process that uses the CPU heavily, so that it's able to use 100% of the CPU and mine Monero efficiently."

 

First documented by Cisco Talos in 2018, Rocke has been found to distribute and execute crypto-mining malware using a varied toolkit that includes Git repositories and different payloads such as shell scripts, JavaScript backdoors, as well as portable executable files.

 

 

While prior variants of the malware banked on the capability to target and remove cloud security products developed by Tencent Cloud and Alibaba Cloud by exploiting flaws in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion, Pro-Ocean has expanded the breadth of those attack vectors by aiming at Apache ActiveMQ, Oracle WebLogic, and Redis servers.

 

Besides its self-spreading features and better hiding techniques that allow it to stay under the radar and spread to unpatched software on the network, the malware, once installed sets about uninstalling monitoring agents to dodge detection and removing other malware and miners from the infected systems.

 

To achieve this, it takes advantage of a native Linux feature called LD_PRELOAD to mask its malicious activity, a library named Libprocesshider to stay hidden, and uses a Python infection script that takes the machine's public IP to infect all machines in the same 16-bit subnetwork (e.g., 10.0.X.X).

 

Pro-Ocean also works to eliminate competition by killing other malware and miners, including Luoxk, BillGates, XMRig, and Hashfish, running on the compromised host. In addition, it comes with a watchdog module written in Bash that ensures persistence and takes care of terminating all processes that utilize more than 30% of the CPU with the goal of mining Monero efficiently.

 

"This malware is an example that demonstrates that cloud providers' agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure," Unit 42 researcher Aviv Sasson said. "This sample has the capability to delete some cloud providers' agents and evade their detection."

 

Source

[flash13]

@aum

 

Post Merged . Similar topic .  Use search  before posting .