Pro Ocean known to be Cloud-targeted malware for carrying out crypto-jacking attacks for Monero used by Roche’s group . The threat actors behind the attack have reportedly updated the malware as researchers discovered a modified malware version having a capability of a worm
Pro-Ocean utilizes well-known vulnerabilities on Apache ActiveMQ, Oracle WebLogic (CVE-2017-10271), and Redis . If the malware is built-in Tencent Cloud or Alibaba Cloud, one can disable tracking agents using the same code of the previous malware to prevent detection. If the malware is installed, it destroys any operation that heavily uses the Kernel to use 100% of the CPU and Monero effectively.
This malware is an example that demonstrates that cloud providers agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure.
The malware is comprised of four components: a rootkit package, which installs a rootkit and many other malice utilities, an XMRig mining module; a Watchdog module with two Bash scripts. Final module is newly added worm feature
The ransomware now reverts to the public IP address of the victim’s computer with a Python infection script. This is achieved by using an online service, which scopes IP addresses for different web servers with an “ident.me” address. The script then attempts in the same 16-Bit subnet to corrupt all computers (e.g. 10.0.X.X). The Pro-Ocean malware has also added new rootkit capabilities that cloak its malicious activity. Continuously exploiting unpatched softwares in public.